a b c d e f g h i j k l m n
o p q r s t u v w x y z

HIPAA Security Rule Policy

Definitions

Protected Health Information (PHI): Any information that identifies an individual and relates to that individual’s physical or mental health, health care or treatment, and payment for health care or treatment.

Electronic Protected Health Information (ePHI): PHI that is created, stored, transmitted, or received electronically.

Hybrid HIPAA Covered Entity: An organization where only selected areas deal with PHI.

Policy Statement

As a Hybrid HIPAA Covered Entity (CE), Missouri State University will protect electronic Protected Health Information (ePHI) by addressing Administrative Safeguards, Physical Safeguards, and Technical Safeguards. The subcategories under each of the three main categories will be links to the specific policies and will point to existing security policy where applicable. This policy is based on Appendix A to Subpart C of Part 164 – Security Standards: Matrix, 68 Fed. Reg. 8333, 8380 (Feb. 20, 2003)

Administrative Safeguards

Security Management Process: Information Security Risk Assessment and Management policy, Sanctions for Misuse

Assigned Security Responsibility: Information Security Unit Organization and Mission policy, Privacy & Security Officers
Workforce Security: Employee Termination Procedures, Computers/Networks Policy, User Access to Electronic Data, Information Security Identity and Access Management policy
Information Access Management: Data Security Policy, Information Security Identity and Access Management policy
Security Awareness and Training: HIPAA Privacy & Security Training, Information Security Awareness and Training policy
Security Incident Procedures: Information Security Incident Response policy
Contingency Plan: Information Security Disaster Recovery of Core Systems, Computers/Networks Policy
Evaluation: Auditing & Monitoring of HIPAA Department Operating Regulations
Business Associate Contracts and Other Arrangements: Business Associates

Physical Safeguards

Facility Access Controls: Information Security Physical Security policy

Workstation Use: Acceptable Use Policy, Information Security Component Integration and Removal policy
Workstation Security: Computers/Networks Policy, Data Security Policy, Information Security Component Integration and Removal policy
Device and Media Controls: Retention & Protection of PHI, Customer Information Policy, Data Security Policy, Information Security Information Management policy

Technical Safeguards

Access Control: User Access to Electronic Data, Data Security, Information Security Identity and Access Management policy
Audit Controls: Information Security Network and Computing Infrastructure policy
Integrity
Person or Entity Authentication: User Access to Electronic Data, Information Security Identity and Access Management policy
Transmission Security: Information Management policy

Reason or Purpose for Policy

HIPAA regulations require that ePHI be protected from unauthorized access and/or destruction. Compromise of ePHI can lead to heavy fines, litigation, and damage to the University’s reputation with increased oversight and enforcement as a result of the HITECH (Title XIII) Act of the ARRA of 2009.

Entities Affected by this Policy

All University Health Care Components (HCC) that deal with ePHI.

Line of Authority

Responsible Administrator and Office: Chief Information Officer (CIO)
Contact Person in that Office: Information Security Officer (ISO)