HIPAA Security Rule Policy

Op12.07-15 HIPAA Security Rule Policy

Definitions

Health Insurance Portability and Accountability Act of 1996 (HIPAA): Protects the privacy of individually identifiable health information and includes the HIPAA Security Rule (which sets national standards for the security of electronic protected health information), the HIPAA Breach Notification Rule (which requires covered entities and business associates to provide notification following a breach of unsecured protected health information), and the confidentiality provisions of the Patient Safety Rule (which protect identifiable information being used to analyze patient safety events and improve patient safety).

Protected Health Information (PHI): Any information that identifies an individual and relates to that individual’s physical or mental health, health care or treatment, and payment for health care or treatment.

Electronic Protected Health Information (ePHI): PHI that is created, stored, transmitted, or received electronically.

Hybrid HIPAA Covered Entity: An organization where only selected areas deal with PHI.

Policy statement

As a Hybrid HIPAA Covered Entity (CE), Missouri State University will protect electronic Protected Health Information (ePHI) by addressing Administrative Safeguards, Physical Safeguards, and Technical Safeguards. The subcategories under each of the three main categories will be linked to the specific policies and will point to existing security policy where applicable. This policy is based on Appendix A to Subpart C of Part 164 – Security Standards: Matrix, 68 Fed. Reg. 8333, 8380 (Feb. 20, 2003)

Administrative safeguards

Security Management Process: Information Security Risk Assessment and Management policy, Sanctions for Misuse

• Assigned Security Responsibility: Information Security Unit Organization and Mission policy, Privacy and Security Officers
• Workforce Security: Employee Termination Procedures, Computers/Networks Policy, User Access to Electronic Data, Information Security Identity and Access Management policy
• Information Access Management: Data Security Policy, Information Security Identity and Access Management policy
• Security Awareness and Training: HIPAA Privacy & Security Training, Information Security Awareness and Training policy
• Security Incident Procedures: Information Security Incident Response policy
• Contingency Plan: Information Security Disaster Recovery of Core Systems, Computers/Networks Policy
• Evaluation: Auditing & Monitoring of HIPAA Department Operating Regulations
• Business Associate Contracts and Other Arrangements: Business Associates

Physical safeguards

Facility Access Controls: Information Security Physical Security policy

• Workstation Use: Acceptable Use Policy, Information Security Component Integration and Removal policy
• Workstation Security: Computers/Networks Policy, Data Security Policy, Information Security Component Integration and Removal policy
• Device and Media Controls: Retention & Protection of PHI, Customer Information Policy, Data Security Policy, Information Security Information Management policy

Technical safeguards

• Access Control: User Access to Electronic Data, Data Security, Information Security Identity and Access Management policy
• Audit Controls: Information Security Network and Computing Infrastructure policy
• Integrity
• Person or Entity Authentication: User Access to Electronic Data, Information Security Identity and Access Management policy
• Transmission Security: Information Management policy