HIPAA Security Rule Policy
Protected Health Information (PHI): Any information that identifies an individual and relates to that individual’s physical or mental health, health care or treatment, and payment for health care or treatment.
Electronic Protected Health Information (ePHI): PHI that is created, stored, transmitted, or received electronically.
Hybrid HIPAA Covered Entity: An organization where only selected areas deal with PHI.
As a Hybrid HIPAA Covered Entity (CE), Missouri State University will protect electronic Protected Health Information (ePHI) by addressing Administrative Safeguards, Physical Safeguards, and Technical Safeguards. The subcategories under each of the three main categories will be links to the specific policies and will point to existing security policy where applicable. This policy is based on Appendix A to Subpart C of Part 164 – Security Standards: Matrix, 68 Fed. Reg. 8333, 8380 (Feb. 20, 2003)
Security Management Process: Information Security Risk Assessment and Management policy, Sanctions for Misuse
- Assigned Security Responsibility: Information Security Unit Organization and Mission policy, Privacy & Security Officers
- Workforce Security: Employee Termination Procedures, Computers/Networks Policy, User Access to Electronic Data, Information Security Identity and Access Management policy
- Information Access Management: Data Security Policy, Information Security Identity and Access Management policy
- Security Awareness and Training: HIPAA Privacy & Security Training, Information Security Awareness and Training policy
- Security Incident Procedures: Information Security Incident Response policy
- Contingency Plan: Information Security Disaster Recovery of Core Systems, Computers/Networks Policy
- Evaluation: Auditing & Monitoring of HIPAA Department Operating Regulations
- Business Associate Contracts and Other Arrangements: Business Associates
Facility Access Controls: Information Security Physical Security policy
- Workstation Use: Acceptable Use Policy, Information Security Component Integration and Removal policy
- Workstation Security: Computers/Networks Policy, Data Security Policy, Information Security Component Integration and Removal policy
- Device and Media Controls: Retention & Protection of PHI, Customer Information Policy, Data Security Policy, Information Security Information Management policy
- Access Control: User Access to Electronic Data, Data Security, Information Security Identity and Access Management policy
- Audit Controls: Information Security Network and Computing Infrastructure policy
- Person or Entity Authentication: User Access to Electronic Data, Information Security Identity and Access Management policy
- Transmission Security: Information Management policy
Reason or Purpose for Policy
HIPAA regulations require that ePHI be protected from unauthorized access and/or destruction. Compromise of ePHI can lead to heavy fines, litigation, and damage to the University’s reputation with increased oversight and enforcement as a result of the HITECH (Title XIII) Act of the ARRA of 2009.
Entities Affected by this Policy
All University Health Care Components (HCC) that deal with ePHI.
Line of Authority
- Responsible Administrator and Office: Chief Information Officer (CIO)
- Contact Person in that Office: Information Security Officer (ISO)