POLICY NAME: Health Insurance Portability and Accountability Act Security (HIPAA) Policy
INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, was signed into law on August 21, 1996. The primary intent of HIPAA is to provide better access to health insurance, limit fraud and abuse, and reduce administrative costs.
The main goal was to ensure the portability of health insurance benefits particularly as individuals moved from job to job. Embedded in the law was a subtitle, the Administrative Simplification Act, with three additional goals:
- Simplify the administration and processing of health data by implementing industry-wide standards for transmitting certain health and related financial information;
- Create standards to ensure the privacy and security of health information that is transmitted or stored electronically; and
- Reduce the costs and administrative overhead of processing health and related financial information.
Goal number two above deals with the security rule.
SCOPE: This policy sets forth the framework for Georgetown University’s compliance with the Security Rule of HIPAA. This policy is limited to the final HIPAA Security Rule. Other aspects of law, including rules governing privacy and human subject research, are addressed in other University policies. See the University’s IRB website for policies governing human subject research, and the University’s Policies, Procedures and Handbooks web site for policies and guidelines concerning privacy and computer security. Georgetown University recognizes that adequate and appropriate security is necessary for HIPAA’s privacy rules to work as intended.
APPLICABILITY: The HIPAA Security Policy applies to the HIPAA-covered entities at Georgetown University. Covered entities are defined in the HIPAA Privacy Policies.
Electronic Protected Health Information: ePHI includes any computer data relating to the past, present or future physical or mental health, health care treatment, or payment for health care. ePHI includes information that can identify an individual, such as name, social security number, address, date of birth, medical history or medical record number, and includes such information transmitted or maintained in electronic format, but excluding certain education and student treatment records. Not included within ePHI are student education records, including medical records (which are protected under FERPA), medical records of employees received by Georgetown University in its capacity as an employer, and workers’ compensation records. Although these records are not covered under the HIPAA Privacy or Security Rules, other University Policies cover the confidentiality and security of these materials. There are special provisions in the law governing the release of psychotherapy records.
HIPAA Security Officer: the HIPAA Security Officer is the University Information Security Officer (UISO). This position is defined in the University Information Security Policy.
Local HIPAA Security Personnel: Each covered entity is required to appoint a person responsible for HIPAA security. S/he may or may not be the Local Information Security Personnel, as defined in the University Information Security Policy.
HIPAA Security Rule: This rule covers security standards for certain health information specifically focusing on safeguarding electronic protected health information (ePHI).
HIPAA Privacy Rule: This rule defined the standards for how protected patient health information should be controlled. See HIPAA Privacy Policies, including definitions.
The Security Rule defines the standards, which require covered entities to implement basic safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). Privacy depends upon security measures: no security, no privacy.
ADMINISTRATION AND IMPLEMENTATION:
The covered components of Georgetown University will maintain the security of electronic protected health information (ePHI), in the manner set forth in the Georgetown HIPAA Security policies. Georgetown University will adhere to all applicable general requirements, approaches, standards, implementation specifications, and maintenance requirements of the Security Rule in developing and maintaining policies and procedures for security standards for the protection of electronic protected health information. Whenever there is a change in law that necessitates a change to Georgetown University Security policies and procedures, Georgetown University will promptly document and implement the revised policies and procedures.
REQUIREMENTS AND RESPONSIBILITIES:
The HIPAA Security Rule requires the University to put into place appropriate administrative, physical and technical safeguards to protect the integrity, confidentiality and availability of electronic protected health information (ePHI) that is created, received or managed by the University’s covered components.
1.1 Risk Analysis: All covered components will perform a yearly risk analysis, which will provide an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI managed by the covered component. [Addresses HIPAA Section 164.308(a)(1).]
1.2 Risk Management: All covered components will implement measures to reduce computer risks and vulnerabilities, including identifying and documenting potential risks and vulnerabilities that could impact systems managing ePHI; performing annual technical security assessments of systems managing ePHI in order to identify and remedy detected security vulnerabilities. [Addresses HIPAA Section 164.308(a)(1).]
1.3 Sanctions: Covered entities will adhere to the sanctions statement found in this policy, found under ENFORCEMENT. [Address HIPAA Section 164.308(a)(1).]
1.4 Information System Activity Review: all covered components will periodically review information system activity records—including audit logs, access reports, and security incident tracking reports—to ensure that implemented security controls are effective and that ePHI has not been potentially compromised. [Addresses HIPAA Section 164.308(a)(1).] Measures should include:
1.4.1 Enabling logging on computer systems managing ePHI.
1.4.2 Developing a process for the review of exception reports and/or logs.
1.4.3 Developing and documenting procedures for the retention of monitoring data. Log information should be maintained for up to six years, either locally on the server or through the use of backup tapes.
1.4.4 Periodically reviewing compliance to the University Information Security Policy and its associated procedures.
1.5 Assigned Security Responsibility: each covered component will identify a local security official, know as local information security personnel, responsible for the adherence to this policy and to the implementation of procedures required to protect the confidentiality, integrity and availability of ePHI. This person may be the same as the Local Security Personnel as described in the University Information Security Policy. [Addresses HIPAA Section 164.208(a)(2).]
1.6 Workforce Security: all covered components will establish procedures that ensure only authorized personnel have access to systems that manage ePHI. [Addresses HIPAA Section 164.308(a)(3).] Measures that each covered component should address include:
1.6.1 Establishing a procedure that requires managerial approval before any person is granted access to systems managing ePHI.
1.6.2 Performing appropriate background checks, where appropriate, before any person is granted access to systems managing ePHI.
1.6.3 Limiting authorized persons’ access to ePHI to the extent that access to this information achieves the requirements of the person’s job responsibilities.
1.6.4 Implementing procedures for terminating access to ePHI when the employment of a person ends or the job responsibilities of the person no longer warrants access to ePHI.
1.6.5 Periodically reviewing the accounts on systems managing ePHI to ensure that only currently authorized persons have access to these systems.
1.7 Information Access Management: all covered components will establish procedures in compliance with the University Information Security Policy and its associated procedures that ensure that systems that manage ePHI have authorization controls that allow only authorized personnel access. [Addresses HIPAA Section 164.308(a)(4).]
1.8 Security Awareness and Training: all covered components will ensure that their local security personnel receive periodic security updates and their members receive HIPAA security rule training. [Addresses HIPAA Section 164.308(a)(5).]
1.9 Password Management: all covered components will adhere to the University’s Information Security Policy and Procedures regarding passwords on systems managing ePHI as they are stronger than HIPAA requirements. In addition, passwords must be forced to change periodically, and must be changed immediately if compromised. [Addresses HIPAA Section 164.308(a)(5).]
1.10 Security Incident Procedures: all covered components must have procedures in place so that their local HIPPA security personnel and the University Information Security Officer are notified when a system managing ePHI is involved in a security incident (examples include virus or worm infection, accounts being compromised, and servers damaged from a denial of service attack). [Addresses HIPAA Section 164.308(a)(6).]
1.11 Contingency Plan: all covered components must have procedures in place to respond to an emergency or other occurrence that damages systems managing ePHI. [Addresses HIPAA Section 164.308(a)(7).] Measures that each covered component should address include having procedures for creating and maintaining backups of ePHI adequate to both restore ePHI and the systems maintaining this data; establishing procedures to restore any loss of data due to a disaster; and develop an
emergency-mode operation plan that enables continuation of critical process to assure access to ePHI and provide for adequate protection of the security of ePHI while operating in emergency mode in the event an at-risk system is identified or a failure occurs.
1.12 Evaluation: each covered component should perform an annual review to demonstrate its compliance with the University’s HIPAA Security Policy. [Addresses HIPAA Section 164.308(a)(8).]
2. Physical Safeguards
2.1 Facility Access Controls: each covered component will ensure that systems that manage ePHI are kept in areas with physical security controls that restrict access. University procedures are documented with the University Information Security Policy. [Addresses HIPAA Section 164.310(a)(1).]
2.2 Workstation Use: each covered component will ensure that only designated workstations possessing appropriate security controls will be used to access and manage ePHI, and that these workstations are not used in publicly-accessible areas nor used by multiple users not authorized to access ePHI. This security measure extends to the use of laptops and home machines. [Addresses HIPAA Section 164.310(b).]
2.3 Workstation Security: each covered component will ensure that physical safeguards are in place to protect workstations that access and manage ePHI consistent with the University Information Security Policy. [Addresses HIPAA Section 164.310(c).]
2.4 Device and Media Controls: each covered component will ensure that procedures are in place to govern the receipt and removal of hardware and electronic media that contains ePHI into and out of a facility, and the movement of these items within the facility. Media can include hard disks, tapes, floppy disks, CD ROMs, optical disks, and other means of storing computer data. [Addresses HIPAA Section 164.310(d)(1).] Measures that each covered component should address include disposing of media with ePHI when it is discarded or reused using means that prevent its recovery and ensuring that backups of ePHI are created before systems managing ePHI are moved.
3. Technical Safeguards
3.1 Access Control: each covered component will ensure that security controls are in place to protect the integrity and confidentiality of ePHI residing on computer systems, including applications, databases, workstations, servers, and network equipment using procedures associated with the University Information Security Policy. [Addresses HIPAA Section 164.312(a)(1).]
3.2 Audit Controls: each covered component should have audit controls implemented that allow an independent reviewer to review system activity. [Addresses HIPAA Section 164.312(b)]
3.3 Integrity: each covered component should ensure that systems and applications managing ePHI have the capability to maintain data integrity at all times. [Addresses HIPAA Section 164.312(c)(1).]
3.4 Person or Entity Authentication: each covered component should have controls in place that verify that a person seeking access to ePHI is the one claimed. [Addresses HIPAA Section 164.312(d)]
3.5 Transmission Security: each covered component should have controls in place that ensures that the integrity of ePHI is maintained when in transit. Secure transmission mechanisms that encrypt ePHI as well as confirms that data integrity has been maintained should be used. The use of e-mail for transmitting ePHI should be avoided; if required, e-mails with ePHI should be encrypted. [Addresses HIPAA Section 164.312(e)(1).]
- Articulated responsibilities of individuals. Members of the university community are obligated to abide by the Georgetown University Computer Systems Acceptable Use Policy, the Guidelines for Systems and Network Administrators, the University Information Security Policy, and other applicable policies to maintain the security and integrity of information systems and ePHI.
Notification and Record Keeping: Consistent with the University Information Security Policy, it is the responsibility of Local HIPAA Security Personnel to notify the University Information Security Officer, who will log any and all incidents. Security incidents resulting in harmful effects known to Georgetown University will be mitigated to the extent practical.
Information Security: Individuals who access, receive, or otherwise handle or control electronic protected health information (ePHI) on Georgetown University systems will do so securely and responsibly. In addition to the directives specified in the HIPAA Security Rule, in Georgetown University policies, and in department or area procedures, these individuals are expected to exercise good judgment in maintaining the security of all ePHI.
Systems Administrators: Systems and network administrators will administer information systems and networks in a manner that protects the confidentiality, integrity, and availability of the electronic protected health information (ePHI) that is stored in them or transmitted through them, including all systems that are connected to internal Georgetown University networks (GUnet) consistent with all applicable university policies.
Every employee in a covered component with access to ePHI is required to adhere to all HIPAA mandates. Violation of this policy may result in disciplinary action up to and including termination of employment. Under federal law, violation of the HIPAA privacy rule may result in civil monetary penalties of up to $250,000 per year and criminal sanctions including fines and imprisonment.
Security Procedural Guidelines
MedStar Privacy and Security references
ACKNOWLEDGEMENTS: The Georgetown University HIPAA Security Policy is adapted, with permission, from the HIPAA Security Policies at the University of Rochester and the University of Pittsburgh.
Office of University Counsel April 18, 2005
Office of Internal Audit and Management Analysis April 18, 2005
Approved by the HIPAA Review Committee April 18, 2005
Approved by the Vice President for Information Services and CIO April 20, 2005
Approved by the Vice President and General Counsel April 20, 2005
Pending Final Approval by the President’s Cabinet
REVIEW CYCLE: tbd