HIPAA Security Rule Policy

Op12.07-15 HIPAA Security Rule Policy


Health Insurance Portability and Accountability Act of 1996 (HIPAA): Protects the privacy of individually identifiable health information and includes the HIPAA Security Rule (which sets national standards for the security of electronic protected health information), the HIPAA Breach Notification Rule (which requires covered entities and business associates to provide notification following a breach of unsecured protected health information), and the confidentiality provisions of the Patient Safety Rule (which protect identifiable information being used to analyze patient safety events and improve patient safety).

Protected Health Information (PHI): Any information that identifies an individual and relates to that individual’s physical or mental health, health care or treatment, and payment for health care or treatment.

Electronic Protected Health Information (ePHI): PHI that is created, stored, transmitted, or received electronically.

Hybrid HIPAA Covered Entity: An organization where only selected areas deal with PHI.

Policy statement

As a Hybrid HIPAA Covered Entity (CE), Missouri State University will protect electronic Protected Health Information (ePHI) by addressing Administrative Safeguards, Physical Safeguards, and Technical Safeguards. The subcategories under each of the three main categories will be linked to the specific policies and will point to existing security policy where applicable. This policy is based on Appendix A to Subpart C of Part 164 – Security Standards: Matrix, 68 Fed. Reg. 8333, 8380 (Feb. 20, 2003)

Administrative safeguards

Security Management Process: Information Security Risk Assessment and Management policy, Sanctions for Misuse

Physical safeguards

Facility Access Controls: Information Security Physical Security policy

Technical safeguards

  • Access Control: User Access to Electronic Data, Data Security, Information Security Identity and Access Management policy
  • Audit Controls: Information Security Network and Computing Infrastructure policy
  • Integrity
  • Person or Entity Authentication: User Access to Electronic Data, Information Security Identity and Access Management policy
  • Transmission Security: Information Management policy