|
|
 |
|||||||
HIPAA Security Regulation REG 01.25.10 Governance Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor. History: First Issued: April 18, 2005. Additional History Information Related Policies: Additional References: Contact Info: The NCSU Security Officer is Jeff Webster, hipaa_security@ncsu.edu, 919-513-4083 1. INTRODUCTIONThis regulation establishes security procedures for confidential health information in electronic form, as required by U.S. Department of Health and Human Services regulations under the Health Insurance Portability and Accountability Act (HIPAA). It should be read in conjunction with the University's administrative regulations on HIPAA privacy as well as the federal regulations for HIPAA.[1] This regulation may also be used to inform security practices beyond the requirements of HIPAA. 2. DEFINITIONS Selected HIPAA terms are defined in this section for convenience. For full legal definitions and for additional terms, see the federal HIPAA regulations. 2.1. "Authorization": specialized written permission for use and/or disclosure of PHI for purposes other than treatment, payment or health care operations. An Authorization for use and disclosure of non- student PHI must be HIPAA compliant and an Authorization for use and disclosure of student PHI must be FERPA compliant. (See also, "Consent.") 2.2. "Business Associate": a person or entity: 2.2.1. who performs, or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or 2.3. "Consent": Permission for use and disclosure of PHI for treatment, payment, and health care operations. (See also, "Authorization.") 2.4. "Disclosure": the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information. 2.5. "Electronic media": 2.5.1. Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or 2.6. "Health Care Components": the units within NC State University that provide health care and therefore are responsible for privacy and security of Protected Health Information. The Health Care Components are Student Health Services, the Counseling Center, and Sports Medicine. The following units are also included to the extent they assist Student Health Services, the Counseling Center, or Sports Medicine with health care functions (including billing and payment and other aspects of management of Protected Health Information): · Administrative Computing Services · Enterprise Information Systems · Network and Client Services · Internal Audit · Legal Affairs · Risk Management · University Cashier · Accounts Receivable · Information Technology Division 2.7. "Individual": the person who is the subject of PHI. 2.8. "Protected Health Information" (PHI): 1) health information, including demographic information, 2) created or received by a health care provider, 3) which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and 4) that identifies or can be used to identify any individual. PHI does NOT include education records, student medical records as covered in the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C.1232g; 34 CFR Part 99), or de-identified PHI. De-identified PHI is health information that cannot be identified to the individual patient. De-identified PHI must remove specific identifiers (set forth in HIPAA) with respect to the individual, his or her relatives, employers and household members. 2.9. "Security Incident": an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 3. GENERAL REQUIREMENTS The Health Care Components at NC State University must make reasonable efforts to: · Ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit. · Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. · Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA privacy regulations. · Ensure compliance by University employees. 4. ADMINISTRATIVE SAFEGUARDS 4.1. Security Management Process 4.1.1. The Security Officer and the Health Care Components shall assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the Health Care Components. 4.1.2. The Security Officer and the Health Care Components shall implement measures to reduce risks and vulnerabilities to a reasonable level. 4.1.3. The Security Officer shall notify supervisors if any employees fail to comply with the University's security requirements for electronic PHI. Any employee who is found in violation of University policies, regulations, or rules regarding the privacy and confidentiality of medical information is subject to disciplinary action up to and including discharge in accordance with University employment policies. 4.1.4. The Security Officer and the Health Care Components shall regularly review records of information system activity. 4.2. Workforce Security 4.2.1. "The head of each Health Care Component is responsible for deciding which employees shall receive authorization to access electronic PHI, and for supervising that access. Authorization shall be consistent with part IV. C. below and with the rule on "Use and Disclosure of Protected Health Information." 4.2.2. The head of each Health Care Component shall provide the Security Officer with a list, during annual review, of all employees who should be authorized to access electronic PHI for work purposes. The list shall be promptly updated during the year to account for employees who should be added or removed from the list. 4.2.3. When an authorized employee leaves the University workforce or otherwise no longer has a work-related justification for access to electronic PHI, that employee's authorization and access shall be terminated by the Health Care Component supervisor promptly entering a PeopleSoft action, or taking equivalent action, so that computer administrators will know to immediately terminate the computer account of that employee, or terminate the access to electronic PHI if the account is to otherwise remain active. 4.3. Information Access Management The Security Officer and the heads of the Health Care Components shall authorize access to electronic PHI only where the person receiving access has a need to access the information on behalf of the University, and where the person can be trusted to keep the information private. The type of access may vary according to the role of the person receiving access, and shall be modified by the Security Officer or heads of Health Care Components if the person's role changes to require greater or less access. All access rights shall be documented. 4.4. Security Awareness and Training 4.4.1. The Security Officer and Health Care Components shall send periodic reminders about good security practices to the Health Care Component employees. 4.4.2. The Security Officer and Health Care Components shall provide training and procedures to help Health Care Component employees -- 4.4.2a. Protect against malicious software; 4.4.2b. Monitor log-in attempts; and 4.4.2c. Create and manage passwords. 4.4.3. The reminders, trainings, and procedures noted in this subsection shall be posted by the Security Officer on a website accessible to all employees who have access to electronic PHI at the University; provided that no information shall be posted if its disclosure could weaken security. 4.5. Security Incidents The Security Officer and Health Care Components shall make reasonable efforts to identify, prevent, remedy or mitigate, and document security incidents. The Health Care Components shall report any security incidents to the Security Officer, who shall maintain a central record describing threats to or breaches of security for electronic PHI, and the response taken. 4.6. Contingency Plan 4.6.1. The Security Officer and Health Care Components shall establish -- 4.6.1a. A data backup plan; 4.6.1 b. A disaster recovery plan; 4.6.1c. An emergency mode operation plan; and 4.6.1d. Periodic testing and revision of the foregoing plans. 4.6.2. The Security Officer and Health Care Components shall rank the importance of specific applications and data when making contingency plans. 4.7. Business Associate Requirements 4.7.1. Business associates may work with electronic PHI on behalf of the University, provided they safeguard the information. Satisfactory assurances must be documented in a written contract or comparable arrangement with the business associate. 4.7.2. University agreements with business associates must require the business associates to: 4.7.2a. implement the Administrative Safeguards, Physical Safeguards, and Technical Safeguards of the HIPAA regulations; 4.7.2b. impose the same HIPAA security requirements on any subcontractors who will receive electronic PHI from the business associate; 4.7.2c. report any security incident to the University; and 4.7.2d. authorize the University to terminate the contract if there is a material breach by the business associate. 4.7.3. Where the business associate is a government entity, there may be a memorandum of understanding with the University, or legally binding regulations or statutes, in lieu of a written contract, provided that the MOU or regulations impose the same requirements on the business associate as specified above for contracts, except that authority to terminate is not required if inconsistent with statutory requirements. 4.7.4. If the Security Officer, Privacy Officer, or a representative of a Health Care Component knows of a material breach or violation of a business associate's duties under this regulation, the University must -- 4.7.4a. Assure that the breach is cured or the violation is ended, as applicable, or 4.7.4b. Terminate the contract or comparable arrangement, or 4.7.4c. If termination is not feasible, report the problem to the U.S. Department of Health and Human Services. 5. PHYSICAL SAFEGUARDS 5.1. Facility Access Controls The Security Officer and Health Care Components, in consultation with Environmental Health and Public Safety, shall create guidelines on physical access to electronic information systems and the facilities in which they are housed. Those guidelines shall include (i) procedures for facility access to restore lost data under disaster recovery plan and under emergency operations plan; (ii) a facility security plan to protect facility and equipment from unauthorized access, tampering, and theft; and (iii) a procedure to control and validate a person's access to facilities, based on their role or job function, including visitor control and control of access to software programs for testing and revision. 5.2. Facility Maintenance The Security Officer and Health Care Components, in consultation with Facilities, shall create guidelines for documenting repair and modifications to the physical components of facilities, related to security, that house protected health information. 5.3. Workstation Controls The Security Officer and Health Care Components shall create guidelines on physical safeguards for workstations that access electronic PHI, to restrict access to authorized users where feasible. 5.4. Device and Media Controls 5.4.1. Any disposal of electronic PHI, and the hardware and electronic media on which it is stored, must be handled according to HIPAA media guidelines as developed by the Security Officer and Health Care Components. 5.4.2. If electronic media are made available for re-use, any electronic PHI must be removed according to HIPAA media guidelines. 5.4.3. The Health Care Components must maintain a record of the location and any transfer of electronic PHI other than PHI residing solely on University network servers. 5.4.4. The Security Officer and Health Care Components shall create guidelines for making backup copies of electronic PHI whenever the equipment on which the PHI resides is being moved 6. TECHNICAL SAFEGUARDS 6.1. Access Control 6.1.1. The Security Officer and Health Care Components shall ensure that each user has a unique name and/or number for tracking user identity. 6.1.2. The Security Officer and Health Care Components shall create procedures for obtaining electronic PHI needed in an emergency. 6.1.3. The Security Officer and Health Care Components shall create procedures for logoff of access to electronic PHI after a period of inactivity. 6.1.4. The Security Officer and Health Care Components shall develop guidelines on the encryption of electronic PHI. 6.2. Audit Controls The Security Officer and Health Care Components shall record and examine activity on information systems that contain or use electronic PHI. 6.3. Integrity and Authentication of Data The Security Officer and Health Care Components shall protect electronic PHI from unauthorized alteration or destruction. They shall implement means of authenticating that electronic PHI has not been altered or destroyed without authorization. 6.4. Transmission Security The Security Officer and Health Care Components shall encrypt electronic PHI during transmission when appropriate. They shall implement means of verifying that electronic PHI has not been improperly modified during transmission. 7. ANNUAL REVIEW AND REPORT 7.1. Representatives from Student Health Services, the Counseling Center, and Sports Medicine shall confer with the Security Officer at least once a year to review the security of electronic PHI, and to make changes needed in response to environmental or operational changes or other factors. 7.2. The Security Officer shall deliver a report to the Provost and to the Vice Chancellor for Finance & Business, with a copy to the Office of Legal Affairs, by June 30 of each year that includes the following information: 7.2.1. Title and location (including any electronic location) of all University regulations, rules, and procedures related to HIPAA compliance. If there are past versions, they should be archived and the location of the archive should be noted. 7.2.2. A description of all recommended actions, activities and assessments related to HIPAA compliance (such as changes noted in part IV A above), a timeframe for estimated completion, and the date of actual completion. 7.2.3. A statement describing the annual review and updating of all requirements for Administrative Safeguards, Physical Safeguards, and Technical Safeguards. 8. DELEGATION OF RULE-MAKING AUTHORITY The Health Care Components and the Security Officer are delegated joint authority to establish rules within their defined areas of responsibility to further implement this regulation. 9. EXCLUSIONS AND BEST PRACTICES9.1. This Regulation does not apply to PHI that is not in electronic form prior to transmission. 9.2. This Regulation does not apply to student PHI that is protected by the Family Educational Rights and Privacy Act (FERPA) or that is described in FERPA at 20 USC 1232g(a)(4)(B)(iv) as medical records of an enrolled student. 9.3. However, the security practices described in this Regulation may be applied to non-electronic PHI and student PHI. [1] The HIPAA regulations on security, privacy, regulations, electronic transactions and code sets regulations, and national provider identifier are in 45 CFR parts 160, 162, and 164. See "Additional Information" above.
|
|||||||||
 |
|||||||||
