Achieving HIPAA Security Regulations Compliance
January 2009
REQUIRED controls must be implemented by the covered entity in order to achieve compliance with the regulation.
ADDRESSABLE controls must be evaluated to determine if they are reasonable and appropriate for the covered entity. The covered entity must then must either implement, implement an alternative, or not implement the control. If the control is not reasonable and appropriate, the covered entity must document why the control is not reasonable and appropriate.
PART 1 includes documentation of the required and addressable HIPAA security controls implemented at The University of Iowa on a site-wide basis.
PART 2 includes policy, reference information, and samples to assist local units which are components of the "Hybrid Entity" at The University of Iowa with implementation of required and addressable security controls.
Questions about the implementation of security controls for protection of University of Iowa systems that handle electronic protected health information (i.e., Restricted-Health data), may be directed to the Information Security and Policy Office by calling 335-6332 or sending email to it-security@uiowa.edu
PART 1: Site implementation/documentation in support of compliance at the University of Iowa
Required Controls:
| CONTROL | IMPLEMENTATION | REFERENCES AND RESOURCES |
| Sanctions Policy | site | Information Security Policy, Acceptable Use of Information Technology Resources Policy |
| Name a Security Officer | site | Roles and Responsibilities for Information Security |
| Incident Response Capability and Reporting Procedures | site | Security Incident Escalation Policy, I-CSIRT Team |
| Data Backup Policy | site and local* | Backup and Recovery Policy |
| Workstation use, access policy and procedures | site | Institutional Data Access Policy |
| Equipment disposal, re-use policy and procedures | site | Computer Data and Media Disposal Policy |
| Unique User ids for each person | site | Enterprise Login ID Standard |
| Strong authentication | site | Enterprise Password Policy |
| Policies and Procedures documented | site and local* | UI IT Policy Website |
| All documentation, including policy, reviewed and updated regularly, retained for 6 years, and made available to all affected persons. | site and local* | Enterprise Information Security Program Plan |
*For controls requiring both site and local implementation, the local unit must develop procedures in line with the site policy.
Addressable Controls:
| CONTROL | IMPLEMENTATION | REFERENCES AND RESOURCES |
| Security reminders, training, and anti-virus resources | site | Security Education Resource Webpage, Information Security Policy, Software Download Webpage, Anti-Virus Resource Center |
| Strong Password Policy | site | Enterprise Password Policy |
PART 2: Local implementation/documentation assistance in support of compliance at the University of Iowa.
Required Controls:
The following controls must be implemented and documented at the local level. Reference documents, samples, and other available resources are listed to assist.
| CONTROL | REFERENCES AND RESOURCES |
| Conduct a formal Risk Assessment | Institutional Data Access Policy,  Risk Assessment Template (.doc),  Sample Risk Assessment Report (.pdf) |
| Implement controls to reduce identified risks | HIPAA IT Security Plan (.pdf) |
| Develop procedures to review system activity logs, account privileges, account eligibility and duration, and incident records. | Information Security Policy, Reference |
| Develop a Disaster Recovery Plan | Enterprise IT Disaster Plan (includes unit/local DR plan instructions), Unit Disaster Plan Sample Forms (doc) |
| Develop an Emergency Operations Plan | Information Security Policy, Reference |
| Develop System Emergency Access Procedures | Reference |
| Implement auditing of system activity and its regular review | Information Security Policy, Reference |
| Business Associate Agreements for non-university access to PHI | Refer to University of Iowa HIPAA Privacy Officer for assistance at the Joint Office for Compliance, (319) 384-8282 or send an email to compliance@healthcare.uiowa.edu |
Addressable Controls:
The local unit must decide if each item below is reasonable and appropriate for their environment, and then either implement, implement an alternative, or not implement the control. If the control is not reasonable and appropriate, the local unit must document why the control is not reasonable and appropriate. Reference documents, samples, and other available resources are listed to assist.
| CONTROL | REFERENCES AND RESOURCES |
| Employee Termination Procedures | ; HR Sample Termination Checklist |
| Workforce supervision policy and procedures, background checks | HR background checks, Sample confidentiality agreement |
| Authorization policy and procedures for establishment and modification of access | Reference |
| Login monitoring | Acceptable Use of Information Technology Resources Policy |
| Regular testing of contingency plans | Information Security Policy |
| Perform data criticality analysis and classify data | Institutional Data Access Policy |
| Develop a facility (physical) security plan, including access control mechanisms, visitor control, and maintenance of records | Information Security Policy, Reference |
| Develop a system for equipment/inventory management | Reference |
| Implement automatic logoff on machines | Information Security Policy, Reference |
| Utilize encryption for privacy in communications, and for data integrity | Information Security Policy , Reference |
| Develop/implement integrity controls for data | Institutional Data Access Policy, Information Security Policy, Reference |