Achieving HIPAA Security Regulations Compliance

January 2009

REQUIRED controls must be implemented by the covered entity in order to achieve compliance with the regulation.

ADDRESSABLE controls must be evaluated to determine if they are reasonable and appropriate for the covered entity. The covered entity must then must either implement, implement an alternative, or not implement the control.  If the control is not reasonable and appropriate, the covered entity must document why the control is not reasonable and appropriate.

PART 1 includes documentation of the required and addressable HIPAA security controls implemented at The University of Iowa on a site-wide basis.

PART 2 includes policy, reference information, and samples to assist local units which are components of the "Hybrid Entity" at The University of Iowa with implementation of required and addressable security controls.

Questions about the implementation of security controls for protection of University of Iowa systems that handle electronic protected health information (i.e., Restricted-Health data), may be directed to the Information Security and Policy Office by calling 335-6332 or sending email to it-security@uiowa.edu

PART 1: Site implementation/documentation in support of compliance at the University of Iowa

Required Controls:

CONTROL

IMPLEMENTATION

REFERENCES AND RESOURCES

Sanctions Policy site Information Security Policy, Acceptable Use of Information Technology Resources Policy
Name a Security Officer site Roles and Responsiblities for Information Security
Incident Response Capability and Reporting Procedures site Security Incident Escalation Policy, I-CERT Team
Data Backup Policy site and local* Backup and Recovery Policy
Workstation use, access policy and procedures site Institutional Data Access Policy
Equipment disposal, re-use policy and procedures site

Computer Data and Media Dispoosal Policy

Unique User ids for each person site Enteprise Login ID Standard
Strong authentication site Enteprise Password Policy
Policies and Procedures documented site and local*  
All documentation, including policy, reviewed and updated regularly, retained for 6 years, and made available to all affected persons.  site and local* Information Security Program

*For controls requiring both site and local implementation, the local unit must develop procedures in line with the site policy.

Addressable Controls:

Control

Implementation

References and Resources

Security reminders, training, and anti-virus resources site Security Education Resource Webpage, Information Security Policy, Software Download Webpage, Anti-Virus Resource Center
Strong Password Policy site Enteprise Password Policy

PART 2: Local implementation/documentation assistance in support of compliance at the University of Iowa. 

Required Controls: The following controls must be implemented and documented at the local level.  Reference documents, samples, and other available resources are listed to assist.


 

CONTROL

REFERENCES AND RESOURCES

Conduct a formal Risk Assessment

Institutional Data Access Policy, Risk Assessment Template(doc), PDF iconsampleriskassessmentreport.pdf

Implement controls to reduce identified risks
Develop procedures to review system activity logs, account privileges, account eligibility and duration, and incident records. Information Security Policy, Reference
Develop a Disaster Recovery Plan (includes unit/local DR plan instructions) Microsoft Office document iconsample-drp-forms.doc
Develop an Emergency Operations Plan Information Security Policy, Reference
Develop System Emergency Access Procedures  Reference
Implement auditing of system activity and its regular review Information Security Policy, Reference
Business Associate Agreements for non-university access to PHI Refer to University of Iowa HIPAA Privacy Officer for assistance at the Joint Office for Compliance, (319) 384-8282 or send an email to compliance@healthcare.uiowa.edu

Addressable Controls: The local unit must decide if each item below is reasonable and appropriate for their environment, and then either implement, implement an alternative, or not implement the control.  If the control is not reasonable and appropriate, the local unit must document why the control is not reasonable and appropriate. Reference documents, samples, and other available resources are listed to assist.

CONTROL

REFERENCES AND RESOURCES

Employee Termination Procedures , HR Sample Termination Checklist
Workforce supervision policy and procedures, background checks HR Background checks, PDF iconpolicy-confidentiality-stmt.pdf
Authorization policy and procedures for establishment and modification of access Reference
Login monitoring ACCEPTABLE USE OF INFORMATION TECHNOLOGY RESOURCES
Regular testing of contingency plans Information Security Policy
Perform data criticality analysis and classify data Institutional Data Access Policy
Develop a facility (physical) security plan, including access control mechanisms, visitor control, and maintenance of records Information Security Policy, Reference
Develop a system for equipment/inventory management Reference
Implement automatic logoff on machines
Utilize encryption for privacy in communications, and for data integrity Develop/implement integrity controls for data
Information Security Policy, Reference
Develop/implement integrity controls for data Institutional Data Access Policy, Information Security Policy, Reference

Contact Details | tel: 319 335 6332 | email: it-security@uiowa.edu