Page Comparison

...

Furthermore, HIPAA establishes a set of national standards for the protection of individually identifiable health information, known as Protected Health Information (PHI). The HIPAA Security Rule specifically addresses the security of electronic PHI (ePHI).

Scope:

This standard applies to Lehigh University which includes the Secure Research Cloud (SRC) environment where ePHI may be stored, processed, Non-Covered Entity Disclaimer:

If an entity (e.g., Lehigh University) does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. However, a number of organizations have called for HIPAA compliance for non-covered entities, to ensure they do not compromise patient privacy.

Scope:

This standard applies to Lehigh University which includes the Secure Research Cloud (SRC) environment where ePHI may be stored, processed, or transmitted. This environment is an enclave environment where sensitive research is designed to be conducted with only defined movement of data into and out of the environment.

...

In order to attribute for implementing the totality of the HIPAA Security Rule, the National Institute of Standards and Technology (NIST) (e.g., reference documentation NIST 800-66r2) has drawn out the intersection for HIPAA security rule implementation. These controls are mapped as the following below:

5.1 Administrative Safeguards:
5.1.1 Security Management Process (§ 164.308(a)(1)): Implement policies and procedures to prevent, detect, contain, and correct security violations.
5.1.2. Assigned Security Responsibility (§ 164.308(a)(2)): Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.
5.1.3. Workforce Security (§ 164.308(a)(3)): Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
5.1.4. Information Access Management (§ 164.308(a)(4)): Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
5.1.5. Security Awareness and Training (§ 164.308(a)(5)): Implement a security awareness and training program for all members of its workforce (including management).
5.1.6. Security Incident Procedures (§ 164.308(a)(6)): Implement policies and procedures to address security incidents.
5.1.7. Contingency Plan (§ 164.308(a)(7)): Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
5.1.8. Evaluation (§ 164.308(a)(8)): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.
5.1.9. Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)): - (This safeguard will not apply to non-covered entities).

5.2 Physical Safeguards:
5.2.1. Facility Access Controls (§ 164.310(a)): Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
5.2.2. Workstation Use (§ 164.310(b)): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
5.2.3. Workstation Security (§ 164.310(c)): Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
5.2.4. Device and Media Controls (§ 164.310(d)): Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

5.3 Technical Safeguards:
5.3.1. Access Control (§ 164.312(a)): Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized individuals.
5.3.2. Audit Controls (§ 164.312(b)): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
5.3.3. Integrity (§ 164.312(c)): Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
5.3.4. Person or Entity Authentication (§ 164.312(d)): Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
5.3.5. Transmission Security (§ 164.312(e)(1)): Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

5.4 Organizational Requirements:
5.4.1. Business Associate Contracts or Other Arrangements (§ 164.314(a)): - (This requirement will not apply to non-covered entities).
5.4.2. Requirements for Group Health Plans (§ 164.314(b)): - (This requirement will not apply to non-covered entities).

5.5 Policies and Procedures and Documentation Requirements:
5.5.1. Policies and Procedures (§ 164.316(a)): Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
5.5.2. Documentation (§ 164.316(b)): (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

Implementation:

Implementation of HIPAA requirements within Lehigh’s Secure Research Cloud will be will be performed accordingly by LTS Staff.
HIPAA requirements implemented will be tracked and logged in the HIPAA Secure Research Cloud Security Requirements Traceability Matrix. Lehigh conducts risk analysis to identify potential threats and vulnerabilities to ePHI and implement appropriate security measures to address those risks. Security measures are documented and reviewed periodically to ensure their effectiveness.

Non-Covered Entity Disclaimer:

If an entity (e.g., Lehigh University) does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. However, a number of organizations have called for HIPAA compliance for non-covered entities, to ensure they do not compromise patient privacySecurity measures are documented and reviewed periodically to ensure their effectiveness.

Additional Considerations:

...

o Library & Technology Services
o Athletics Department – Not Included – For now, we will not add the athletic department due to OGC designation as FERPA
o Vacc Clinic – Not Included – For now, we will not add the Autism Clinic.
o University Communications
o Office of Institutional Integrity and General Counsel (in an advisory capacity)
o Office of Research Integrity
o Office of Enterprise Risk Management

...

• HIPAA Security Rule

• NIST Cybersecurity Framework

• HHS Office for Civil Rights (OCR)

Definitions:

Covered Entity: A health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium, including electronic, paper, or oral.

Electronic Protected Health Information (ePHI): PHI that is transmitted or maintained in electronic media.

Breach: generally is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.

Breach Notification: refers to the notification process following a breach of unsecured protected health information that must be provided to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

Business Associate: refers to a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Covered Entity: is a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Confidentiality: means that PHI data or information is not made available or disclosed to unauthorized persons or processes.

Data custodian: refers to the designated Library & Technology Services Staff members who are responsible for providing a secure infrastructure to conduct data HIPAA-compliant processing services for the University’s Secure Research Cloud. This includes software applications, data, networks, and operating systems (see the University Data Classification Policy).

Data stewards: refers to the University staff responsible for direct operational level information management, including assignment of data access permissions to users.

Disclosure: at Lehigh means the release, transfer, provision of access to, or divulgence in any other manner, of information to any organization external to Lehigh University.

Electronic Media: is the following below:
• Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, digital memory card, or videotapes; or
• Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
Electronic Protected Health Information: or EPHI: means individually identifiable health information that is:
• Transmitted by electronic media to secure websites.
• Maintained in electronic media such as being stored on the secure HIPAA drive. EPHI is not to be stored on computer hard drives, laptops, PDAs, floppy disks, rewritable devices, flash memory devices, or USB memory devices.
HIPAA Compliance Officer: refers to the individual within each Covered Entity tasked with overall responsibility for HIPAA privacy and security compliance.

Information Systems: means the workstations used within Lehigh to connect to the network and to access, store, and manipulate EPHI.

Integrity: means that PHI data or information have not been altered or destroyed in an unauthorized manner.

Limited Data Set: is Lehigh’s Secure Research Cloud redacted medical data (e.g., type) sets received from another party used for research-only purposes.

Risk: means the likelihood that a specific threat will exploit certain vulnerabilities and the resulting impact of that event.

Security Measures: means security policies, procedures, standards, and controls regarding EPHI.

Member: means persons whose conduct, in the performance of work for a non-covered entity.

HIPAA Security Officer: refers to the individual within Lehigh’s Library & Technology Services responsible for Lehigh’s HIPAA electronic security compliance.

Use: means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within Lehigh.

Workstation: includes the hardware, software, and other applications used to access EPHI stored on the network.

Revision History: