Achieving HIPAA Security Regulations Compliance

January 2009


REQUIRED controls must be implemented by the covered entity in order to achieve compliance with the regulation.

ADDRESSABLE controls must be evaluated to determine if they are reasonable and appropriate for the covered entity. The covered entity must then must either implement, implement an alternative, or not implement the control.  If the control is not reasonable and appropriate, the covered entity must document why the control is not reasonable and appropriate.


PART 1 includes documentation of the required and addressable HIPAA security controls implemented at The University of Iowa on a site-wide basis.

PART 2 includes policy, reference information, and samples to assist local units which are components of the "Hybrid Entity" at The University of Iowa with implementation of required and addressable security controls.


Questions about the implementation of security controls for protection of University of Iowa systems that handle electronic protected health information (i.e., Restricted-Health data), may be directed to the Information Security and Policy Office by calling 335-6332 or sending email to it-security@uiowa.edu


PART 1: Site implementation/documentation in support of compliance at the University of Iowa


Required Controls:

CONTROL IMPLEMENTATION REFERENCES AND RESOURCES
Sanctions Policy site Information Security Policy, Acceptable Use of Information Technology Resources Policy
Name a Security Officer site Roles and Responsibilities for Information Security
Incident Response Capability and Reporting Procedures site Security Incident Escalation Policy, I-CSIRT Team
Data Backup Policy site and local* Backup and Recovery Policy
Workstation use, access policy and procedures site Institutional Data Access Policy
Equipment disposal, re-use policy and procedures site Computer Data and Media Disposal Policy
Unique User ids for each person site Enterprise Login ID Standard
Strong authentication site Enterprise Password Policy
Policies and Procedures documented site and local* UI IT Policy Website
All documentation, including policy, reviewed and updated regularly, retained for 6 years, and made available to all affected persons.  site and local* Enterprise Information Security Program Plan

*For controls requiring both site and local implementation, the local unit must develop procedures in line with the site policy.

Addressable Controls:

CONTROL IMPLEMENTATION REFERENCES AND RESOURCES
Security reminders, training, and anti-virus resources site Security Education Resource Webpage, Information Security Policy, Software Download Webpage, Anti-Virus Resource Center
Strong Password Policy site Enterprise Password Policy

 


PART 2: Local implementation/documentation assistance in support of compliance at the University of Iowa.   


Required Controls:

The following controls must be implemented and documented at the local level.  Reference documents, samples, and other available resources are listed to assist.

CONTROL REFERENCES AND RESOURCES
Conduct a formal Risk Assessment Institutional Data Access Policy,  Microsoft Office document iconRisk Assessment Template (.doc), PDF iconSample Risk Assessment Report (.pdf)
Implement controls to reduce identified risks PDF iconHIPAA IT Security Plan (.pdf)
Develop procedures to review system activity logs, account privileges, account eligibility and duration, and incident records. Information Security Policy, Reference
Develop a Disaster Recovery Plan Enterprise IT Disaster Plan (includes unit/local DR plan instructions), Unit Disaster Plan Sample Forms (doc)
Develop an Emergency Operations Plan Information Security Policy, Reference
Develop System Emergency Access Procedures Reference
Implement auditing of system activity and its regular review Information Security Policy, Reference
Business Associate Agreements for non-university access to PHI Refer to University of Iowa HIPAA Privacy Officer for assistance at the Joint Office for Compliance, (319) 384-8282 or send an email to compliance@healthcare.uiowa.edu

Addressable Controls:

The local unit must decide if each item below is reasonable and appropriate for their environment, and then either implement, implement an alternative, or not implement the control.  If the control is not reasonable and appropriate, the local unit must document why the control is not reasonable and appropriate. Reference documents, samples, and other available resources are listed to assist.

CONTROL  REFERENCES AND RESOURCES
Employee Termination Procedures ; HR Sample Termination Checklist
Workforce supervision policy and procedures, background checks HR background checks, PDF iconSample confidentiality agreement
Authorization policy and procedures for establishment and modification of access Reference
Login monitoring Acceptable Use of Information Technology Resources Policy
Regular testing of contingency plans Information Security Policy
Perform data criticality analysis and classify data Institutional Data Access Policy
Develop a facility (physical) security plan, including access control mechanisms, visitor control, and maintenance of records Information Security Policy, Reference
Develop a system for equipment/inventory management  Reference
Implement automatic logoff on machines Information Security Policy, Reference
Utilize encryption for privacy in communications, and for data integrity Information Security Policy , Reference
Develop/implement integrity controls for data Institutional Data Access Policy, Information Security Policy, Reference