IU South Bend HIPAA Security Standard
- Standard - SBIT-201
- Status - Adopted August 1, 2010
- Source - Office of the Vice Chancellor for Information Technologies
This Standard applies to any IU South Bend departments, services, or groups who is a Covered Entity or who act on behalf of a Covered Entity that use or disclose electronic protected health information (ePHI) for any purposes regardless of affiliation, and irrespective of whether those resources are accessed from on-campus or off-campus locations.
Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to require entities who use physical and mental health information to assess risk levels to ePHI data, create and enforce policies relating to those who access ePHI data, and to implement security measures to secure systems which access or store ePHI data.
This Standard reflects IU South Bend Information Technologies’ (IT) commitment to provide CE with Standards commensurate with the privacy and confidentiality expectations of whom the data reflects and as would be expected from a public University. This Standard also reflects expectations as defined by HIPAA.
CE will implement policies and procedures as mandated by HIPAA Security Rule.
A - CE will contact IT to aid in the performance of a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by CE.
B - CE will publish a Sanction policy to apply against workforce members who fail to comply with the security policies and procedures of the covered entity.
C - CE will identify a person(s) to act as a security/policy official who will be responsible for the development and implementation of the policies and procedures required by HIPAA.
D - CE will implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.
E - CE will implement a security awareness and training program for all members of its workforce (including management).
F - CE will implement procedures for creating, changing, and safeguarding passwords, including complexity and change frequency.
G - CE will implement procedures and documentation for business continuity with regard to covered computer systems and ePHI, with the ability to retrieve records for up to 6 years.
H - CE will implement policies and procedures to limit physical access to its electronic information systems, ePHI, and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
CE will ensure proper documents and procedures regarding patient rights, access, consent, and authorization forms/policies.
A - With regard to patient information, CE will create and implement forms and policies regarding data usage and disclosure, patient rights, data retention, complaint handling, and privacy notices.
B - With regard to patient information, CE will create and implement forms and policies regarding the transmission of data with regard to email, electronic transfer, facsimile, or any other form of transmission.
C - With regard to patient information, CE will create and implement forms and policies pertaining to incident reporting in the event of accidental data disclosure.
CE will follow all related University, IT, and legislative mandates with regard to the protection of ePHI data and systems.
refers to departments or service centers which engage in either physical or mental health services, or those who maintain health insurance benefits information.
ePHI - Electronic protected health information
means individually identifiable health information that is:
- Transmitted by electronic media
- Maintained in electronic media
(1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
means employees, volunteers, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. This includes full and part time employees, affiliates, associates, students, volunteers, and staff from third party entities who provide service to the covered entity.
Availability means the property that data or information is accessible and useable upon demand by an authorized person.
means the property that data or information is not made available or disclosed to unauthorized persons or processes.
Integrity means the property that data are accurate and consistent and have not been altered or destroyed in an unauthorized manner.
means a systematic and analytical approach that identifies and assesses risks to the confidentiality, integrity or availability of a covered entity’s ePHI. Risk analysis considers all relevant losses that would be expected if specific security measures protecting ePHI are not in place. Relevant losses include losses caused by unauthorized use and disclosure of ePHI and loss of data integrity.
Failure to comply with Indiana University South Bend information technology standards and policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); to the individual's employment (up to and including immediate termination of employment); civil or criminal liability; or any combination of these; for departments, may result in restrictions placed on access to ePHI data residing on IT hosts, or network access restrictions placed on hosts containing ePHI.
Related Policies, Laws, and Documents
- IT-07 Privacy of Information Technology Resources
- IT-03 Eligibility to Use Information Technology Resources
- IT-12 Security off Information Technology Resources
- SBIT-102 Electronic Media Disposal
- SBIT-101 Sensitive Data Storage
- SBIT-202 HIPAA Authorized Access
- HIPAA Regulations
Campuses, schools, colleges, departments, and other administrative units may have issued local policies and standards governing the appropriate use of information technologies deployed specifically to support that unit's activities. Managers of information technology services may have issued service-level polices and standards governing the appropriate use of their services. In order to understand and adhere to these requirements, users of these resources are responsible for consulting with appropriate unit or service staff.
- Approved August 1, 2010