...
Monitoring legislative changes in privacy and security regulations
Assessing and determining campus non-compliance events, such as HIPAA breaches, and managing campus responses as determined by HIPAA regulations.
Implementing standardized policies and procedures with respect to protected health information that comply with HIPAA regulations including, but not limited to, ensuring compliance with and enforcement of PHI security, use and disclosure with other University employees as appropriate as well as external third parties.
Monitoring implementation of HIPAA policies and procedures
Maintaining a written (paper or electronic) record of actions, activities or assessments required to be documented by the HIPAA regulations. Such records may include, but are not limited to:
a. Committee Minutes
b. Committee/task force charters
c. Executive memorandums
d. Committee charterDesigning and disseminating a university-wide HIPAA annual training program that informs all staff to whom this policy applies, including management, of all policies and procedures that apply to them in their individual roles. Notwithstanding the foregoing, this training is to include non-Covered Entity staff who encounter PHI as part of their functions as appropriate.
HIPAA Security Officers:
Entity | Privacy Officer | Phone | |
Library & Technology Services | Eric Zematis | 610-758-3994 | |
Related:
HIPAA Security Rule
NIST Cybersecurity Framework
HHS Office for Civil Rights (OCR)
Definitions:
Covered Entity: A health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium, including electronic, paper, or oral.
Electronic Protected Health Information (ePHI): PHI that is transmitted or maintained in electronic media.
Breach: generally is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.
Breach Notification: refers to the notification process following a breach of unsecured protected health information that must be provided to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Business Associate: refers to a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Covered Entity: is a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Confidentiality: means that PHI data or information is not made available or disclosed to unauthorized persons or processes.
Data custodian: refers to the designated Library & Technology Services Staff members who are responsible for providing a secure infrastructure to conduct data HIPAA-compliant processing services for the University’s Secure Research Cloud. This includes software applications, data, networks, and operating systems (see the University Data Classification Policy).
Data stewards: refers to the University staff responsible for direct operational level information management, including assignment of data access permissions to users.
Disclosure: at Lehigh means the release, transfer, provision of access to, or divulgence in any other manner, of information to any organization external to Lehigh University.
Electronic Media:
...
is the following below:
• Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, digital memory card, or videotapes; or
• Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
...
Electronic Protected Health Information
...
: or
...
EPHI
...
: means individually identifiable health information that is:
• Transmitted by electronic media to secure websites.
• Maintained in electronic media such as being stored on the secure HIPAA drive. EPHI is not to be stored on computer hard drives, laptops, PDAs, floppy disks, rewritable devices, flash memory devices, or USB memory devices.
...
HIPAA Compliance Officer
...
: refers to the individual within each Covered Entity tasked with overall responsibility for HIPAA privacy and security compliance.
Information Systems: means the workstations used within Lehigh to connect to the network and to access, store, and manipulate EPHI.
Integrity: means that PHI data or information have not been altered or destroyed in an unauthorized manner.
Limited Data Set: is Lehigh’s Secure Research Cloud redacted medical data (e.g., type) sets received from another party used for research-only purposes.
Risk: means the likelihood that a specific threat will exploit certain vulnerabilities and the resulting impact of that event.
Security Measures: means security policies, procedures, standards, and controls regarding EPHI.
Member: means persons whose conduct, in the performance of work for a non-covered entity.
HIPAA Security Officer: refers to the individual within Lehigh’s Library & Technology Services responsible for Lehigh’s HIPAA electronic security compliance.
Use: means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within Lehigh.
Workstation: includes the hardware, software, and other applications used to access EPHI stored on the network.
Revision History:
Date | Version | Description | Approval |
3/19/24 | 0.1 | Original Document | Draft |
1/8/2025 | 0.2 | Major revisions and updates | Draft |