***HIPAA SECURITY SAMPLES FOR REFERENCE ONLY.***


MUST BE MODIFIED TO UNIT SPECIFICATIONS

The scope of this policy includes all systems, networks, procedures, and operations related to UNIT that contain, manipulate, or access electronic protected health information (EPHI).  All present and future personnel, equipment, systems, and vendors that access or store UNIT information are covered under this policy.

Risk Analysis:

Items covered within the scope of this policy will be regularly reviewed for known vulnerabilities. Operational procedures will be assessed to ensure maximum efficiency, security, and subject confidence while maintaining the highest level of confidentiality, availability, and integrity to EPHI. 

A statement of intent will be developed prior to each assessment, outlining the actions to be taken during the assessment, the dates, times and responsible parties for conducting the assessment.  

Following the assessment, a report documenting the results along with a remediation plan for addressing critical vulnerabilities will be developed and filed in UNIT’s HIPAA documentation.  Accountability for corrective actions will be enforced by the UNIT Director.

Risk Management:

The security measures and safeguards that UNIT will implement for its EPHI will be based upon results of risk analysis and information systems reviews.  Reviews of system activity shall cover both routine operations and emergency operations.  

UNIT will implement security measures and safeguards for each EPHI repository sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.  The measures must be commensurate with the data classification of the repository.  Safeguards may include normal best practice security measures such as user accounts, passwords, and firewalls; high risk EPHI repositories may require additional security measures.

UNIT will appropriately discipline and sanction employees and other workforce members for violations of the HIPAA Security Policy. 

The following controls, which provide reasonable risk mitigation, will be employed by UNIT on all applicable information technology systems:

  1. Strict password policies will be set and enforced
  2. Default (shipped) administrator accounts and guest/user accounts will be renamed, and all default (shipped) passwords will be changed.
  3. Executable and dangerous email attachments will be blocked at the email server
  4. Security audits will be set up and logs will be regularly reviewed for unusual activity.
  5. Unnecessary applications and services will be removed from systems.
  6. Frequent data backups will be taken, and stored in a safe place.
  7. Password protected screen savers will be used to restrict access to workstations.
  8. Users will be educated about good security practices.

Sanction Policy:

This sanction policy is intended to supplement the disciplinary and sanction provisions described in the University Operations Manual to specifically address handling of issues related to compliance with HIPAA regulations. 

Any employee who witnesses a violation of HIPAA policy is responsible for notifying their supervisor or the supervisor of the person violating policy.  That supervisor is responsible for notifying the UNIT Human Resources representative.  Upon notification of a violation of policy that is related to HIPAA compliance practices, the UNIT Human Resources representative will take overall responsibility for the issue.  The UI HIPAA Privacy Officer will be notified in order to take responsibility for any legally required external notification of the event.  Any incident that requires activation of this policy must be clearly documented in the appropriate personnel file.

UNIT Human Resources has discretion to determine if a specific incident is severe enough to escalate to a higher disciplinary level, with approval from the VP for Human Resources.  These sanctions are not intended to replace any other disciplinary policies otherwise defined in the University Operations Manual.

Disciplinary Levels:

  1. Education. Provide educational resources to raise awareness and sensitivity to regulatory compliance issues.
  2. Mandatory Certification.  Require documented evidence of successful training in HIPAA regulatory compliance.
  3. Disciplinary Action.  A range of actions, up to and including termination will be available as contingent discipline. Disciplinary action is determined by the Director of Employment, Human Resources.
  4. Determination.  If all prior methods fail, the person will be terminated or removed from a position with responsibilities that allow for HIPAA policy violation.

Information Systems Activity Review:

UNIT will assign staff operational responsibility to regularly review all sources of information system activity, including but not limited to audit logs, access reports, and security incident tracking reports. This review will be conducted at least weekly.

At a minimum, a review of the procedures and reports will be conducted during the annual review of UNIT documentation by the HIPAA Privacy Officer and the Security Officer.

The following tools will be utilized (describe tools as applicable to UNIT):

Inventory Management SCCM (Microsoft)
Event log monitoring Microsoft Operations Manager (Microsoft)
Swatch Event Log Monitor (Sourcefire)
Network port monitoring Port Sentry (Open Source)
System log monitoring Log Sentry (Open Source)
Virus protection Various Symantec Anti-Virus solutions, provided centrally
Antigen, Forefront (Microsoft)
PureMessage (Sophos), provided centrally
Intrusion Detection System Snort (Open Source), provided centrally
Vulnerability Assessment Nessus, provided centrally
Accunetix, provided centrally

Authorization/Supervision and Workforce Clearance:

Initial authorization of workforce members to access EPHI must be approved by the designated UNIT departmental administrator or system owner, and records of such authorization must be maintained.

On an annual basis, all authorizations for access will be reviewed for applicability, and removed or modified as necessary to comply with the provision for need to know.    

Procedures will be implemented to review and determine that the access of workforce members is appropriate. This may include, but does not require, the completion of criminal background checks on new workforce members, credential checks, employment and reference checks, character reference checks, or similar clearance measures.  It also covers the review of groups or categories of workforce members to ensure appropriate access to EPHI.

Termination:

Workforce members who end employment or relationship with UNIT will have all access to EPHI cancelled at the time of departure from the organization.  Termination for any reason must result in cancellation of all access to information technology, especially EPHI.  Cancellation of access must occur as soon as possible after the termination is in effect, and will be automated wherever possible.

Human Resources systems will automatically provide notification process for terminations.  Notification will result in elimination of access to applicable information technology systems, physical access control systems (such as Marlock), and removal from group memberships.  If the termination is for cause, additional security measures may be employed such as escorting the person from University premises.  A checklist of termination activities will be completed for each terminated employee, and filed in the persons UNIT personnel folder.

Workforce members who transfer from one department of the University to another will be flagged and reported for access control review, and all authorizations that are no longer applicable under the need to know principle will be removed.

Access Authorization, Establishment, and Modification:

Workforce members must be authorized by UNIT to have access to EPHI through electronic means.  This will be accomplished through a documented request for access, supervisor approval, and finally by granting authorization to the workforce member.  System or server logs will be activated to track logins to EPHI resources and these will be reviewed for unusual activity on a periodic basis.

Unusual activity will be defined as system access at unusual times, attempts to access resources by persons who are not authorized, and/or attempts to copy and/or relocate files or folders containing EPHI.

Any changes to EPHI access through an employment change in status must be authorized, controlled, and supervised. Change in status may be a transfer, leave of absence, or termination.  A leave or termination condition must result in revocation of all access to EPHI. A transfer must result in a review of access authorizations, with appropriate changes.

Security Reminders:

Periodic security reminders will be delivered through one or more mechanisms to members of UNIT’s workforce.  These may be delivered via signs or posters in employee areas, newsletters, e-mail, message boards, intranet web sites, or verbally.

Reminders will include, but are not limited to, the following basic security principles

  1. Passwords can not ever be shared for any reason, and workforce members should avoid unintended disclosures of passwords such as making them easy to guess, or recording it/them where others may be able to find it.
  2. Applications should be locked before you leave your workstation, using a password protected screen saver, or other method.  When you are no longer using a workstation, log out. 
  3. E-mail attachments should never be opened unless they are expected and you know the sender. 
  4. Do not follow/click on any links in unsolicited advertising, whether from e-mail, an instant message, newsgroup, or other electronic communication.
  5. Do not download software from the Internet without prior authorization from UNIT technology support staff, and without running an anti-virus scan of the object before it’s opened.
  6. Do not discuss patient or subject health information in public, and do not leave printed documents where they can be viewed by others.

Protection from Malicious Software:

All eligible devices connecting to, accessing, or housing EPHI in UNIT will have appropriate anti-virus software installed, and updated on a daily basis. This software will be configured to scan all incoming file objects and electronic mail.
 
All software, including operating systems and application programs, will be kept up to date with security patches.  UNIT’s technology support staff are responsible to ensure that critical security updates are installed within seven days of being released, or that a commensurate protection is implemented in its place. 

Backup Plan, Emergency Operations, and Disaster Recovery:

Procedures will be established and implemented to create and maintain retrievable exact copies of all UNIT EPHI.  Routine backups of EPHI from all appropriate locations will be made on a regular basis (no less than daily for volatile information and weekly for more static information). Backup media will be properly indexed and labeled to allow for identification and retrieval by individuals other than the original workforce member who made the backup. The backup media and restore procedures will be tested periodically (at least annually), to ensure they are reliable and kept up to date.

Backup information will be made available on alternative (backup, redundant) servers in case of an emergency resulting from a significant interruption of critical services. Alternative emergency operations must be sustained until the original systems and processes are restored.  At least one full copy of EPHI data will be stored in a secure, off-site location for disaster recovery purposes.  Backup media stored on-site must be in a physically secure location that is separate from the location of the system it represents.

Procedures for the restoration of all systems and data in the event of a disaster will be documented.  The procedures will be sufficiently clear to allow someone other than the UNIT IT staff to perform the recovery.  It must include the steps for recovering individual files or folders, steps for the recovery of database instances, steps for recovery of entire servers or collections of servers, prioritization information for systems if applicable, and contact information for server, network, and application administrators.

Security Evaluation:

All technical and non-technical aspects of UNIT will be reviewed on a periodic basis, emphasizing on-going compliance with the HIPAA Security Rule.  All related UNIT policy and procedure, and other supporting documentation and processes will be identified and reviewed at least annually to ensure it is kept up to date and accurately reflects operations.

Facility (Data Center) Security Plan and Access Control:

UNIT facilities housing EPHI and its supporting technology must be protected through equipment, policies, and procedures from unauthorized physical access, tampering, and theft.  All entrances to the facility must be controlled to prevent unauthorized access, and the entire facility must have appropriate fire suppression capabilities as required by law.

Access into the facility will be limited to authorized personnel using keys, combinations, tokens, badge mechanisms, or biometrics. Other possible entrance methods such as windows or skylights must be made inaccessible.  Entrances to the facility will be monitored, and public access entries are well-lighted and may be visible to security staff or via cameras.

Visitors and maintenance personnel will be required to provide identification and sign in before entrance, and will be accompanied within the facility by authorized personnel. 
Repairs and modifications to the facility or equipment must be documented to include the person authorizing the work, the nature of the work, the date and time, and the individuals performing the work. 

Workstation Use, Security and Device Media Controls:

Workstations and other devices will be controlled to prevent improper access, usage, loss, damage, or disclosure of EPHI. This includes any device that is network enabled, including personal computers, hand-held devices and PDAs, laptops, or servers.  Network enabled includes both hard wired and wireless connection methods, and includes local as well as remote access. 

No EPHI can be permanently stored on a single user workstation, laptop, wireless device, or hand held computing device.  All EPHI must be transferred to secure servers at the end of the day or shift, to allow for it to be backed up using UNIT procedures.  All such (local, personal) uses of EPHI must be authorized in advance by UNIT management.  EPHI is not to be transported out of the UNIT on portable devices without written authorization. 

Workforce members are not to alter the configuration of personal devices or load software onto them without prior approval from UNIT management and IT support staff.  Monitors should be positioned to prevent inadvertent disclosure of EPHI from passersby.  Screen savers that are password protected will be implemented on all devices. 

Remote access to systems containing EPHI must be authorized by UNIT management on an as needed basis, and should be conducted through secure, encrypted channels to avoid the possibility of inadvertent disclosure.  Workforce members accessing EPHI remotely must not retain the EPHI permanently on the remote device.

When the useful life of equipment or media has been reached, the media is to be rendered unreadable by either a) forensic wiping of the media, b) physical destruction of the media, or c) degaussing of the media. 

When equipment or media is to be repurposed, the UNIT management must determine if any EPHI is present, if it must be removed, and the method by which it must be removed.  In the event that servers, workstations, or data storage devices are relocated, all data including EPHI will be backed up to insure its protection during the move.

It is UNIT’s responsibility to ensure that procedures are implemented to adequately inventory and track all devices that contain EPHI.

Encryption and Decryption Policy:

NOTE: There are various types of encryption technologies. To work properly, both the sender and the receiver must use the same or compatible technology.

In cases where EPHI is to be transmitted outside of the University of Iowa telecommunications network, UNIT will ensure that encryption/decryption will be employed to ensure the privacy and integrity of the information being transmitted. 

It is acceptable to encrypt a file and then transmit it, for instance using PGP, DES, or other file-based encryption technology.  If file transfer protocol is necessary, a secure alternative (e.g., scp) must be used if the file is not pre-encrypted.  It is acceptable to use S-MIME for encryption of e-mail.  It is acceptable to use SSL (Secure Sockets Layer V3) for encryption of data to and from a web site, or SSH (Secure Shell protocol) for encrypted terminal sessions between hosts.   It is also acceptable to utilize a VPN (Virtual Private Network) connection to encrypt data as it is transmitted across unsecured networks.

In conjunction with secure transmission of data, a strong form of authentication must be utilized to ensure that the sender and recipient of the data are known to each other and are authorized to receive and decrypt the data. 

To ensure the integrity of data, a hashing algorithm may be employed prior to and after transmission of EPHI.  It is acceptable to use hashes from the SHA-2 family for this purpose, in addition to (but not in place of) the use of encryption.