Description:
Under federal law, the Health Insurance Portability and Accountability Act (HIPAA) regulates the use of health information on campus by "components" at Lehigh. Since Lehigh is not a "Covered Entity", it is not required to adhere to HIPAA compliance. However, Lehigh is dedicated to ensuring patient privacy and security of data.
Furthermore, HIPAA establishes a set of national standards for the protection of individually identifiable health information, known as Protected Health Information (PHI). The HIPAA Security Rule specifically addresses the security of electronic PHI (ePHI).
Scope:
This standard applies to Lehigh University which includes the Secure Research Cloud (SRC) environment where ePHI may be stored, processed, or transmitted. This environment is an enclave environment where sensitive research is designed to be conducted with only defined movement of data into and out of the environment.
The SRC will provide researchers with the ability to conduct research efforts in coordination with different customer entities securely within the cloud enclave, including the ability to work with controlled unclassified information and HIPAA data.
The HIPAA Security Compliance Standard is designed to document and communicate HIPAA-compliant changes with Lehigh and associated environments. This HIPAA Compliance Security Standard applies to all Lehigh Staff, Faculty and Students (e.g., Principal Investigators, Researchers etc.).
HIPAA-compliant updates include but are not limited to policy/standard (e.g., documentation changes), security, training, and administrative updates. See Security Requirements section below for more information.
Security Requirements:
The HIPAA Security Rule (e.g., CFR Part 160, Subparts A and C of Part 164 (e.g., link subjected to change: https://www.hhs.gov/hipaa/for-professionals/security/index.html)) requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. These safeguards include:
• Administrative Safeguards: Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures. Examples include security awareness training, risk analysis, and contingency planning.
• Physical Safeguards: Measures to protect electronic systems, equipment, and the data they hold, from unauthorized access, damage, or theft. Examples include facility access controls, workstation security, and device and media controls.
• Technical Safeguards: Automated processes used to protect data and control access to ePHI. Examples include access controls, audit controls, and encryption.
In addition to HIPAA aforementioned safeguards, there are HIPAA Policies, Procedures and Documentation Requirements that need to be addressed as well. Organizational Requirements and non-covered controls have been omitted from implementation since Lehigh is a non-covered entity (See italicized control mapping annotations below).
In order to attribute for implementing the totality of the HIPAA Security Rule, the National Institute of Standards and Technology (NIST) (e.g., reference documentation NIST 800-66r2) has drawn out the intersection for HIPAA security rule implementation. These controls are mapped as the following below:
5.1 Administrative Safeguards:
5.1.1 Security Management Process (§ 164.308(a)(1)): Implement policies and procedures to prevent, detect, contain, and correct security violations.
5.1.2. Assigned Security Responsibility (§ 164.308(a)(2)): Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.
5.1.3. Workforce Security (§ 164.308(a)(3)): Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
5.1.4. Information Access Management (§ 164.308(a)(4)): Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
5.1.5. Security Awareness and Training (§ 164.308(a)(5)): Implement a security awareness and training program for all members of its workforce (including management).
5.1.6. Security Incident Procedures (§ 164.308(a)(6)): Implement policies and procedures to address security incidents.
5.1.7. Contingency Plan (§ 164.308(a)(7)): Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
5.1.8. Evaluation (§ 164.308(a)(8)): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.
5.1.9. Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)) - (This safeguard will not apply to non-covered entities).
5.2 Physical Safeguards:
5.2.1. Facility Access Controls (§ 164.310(a)): Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
5.2.2. Workstation Use (§ 164.310(b)): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
5.2.3. Workstation Security (§ 164.310(c)): Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
5.2.4. Device and Media Controls (§ 164.310(d)): Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
5.3 Technical Safeguards:
5.3.1. Access Control (§ 164.312(a)): Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized individuals.
5.3.2. Audit Controls (§ 164.312(b)): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
5.3.3. Integrity (§ 164.312(c)): Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
5.3.4. Person or Entity Authentication (§ 164.312(d)): Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
5.3.5. Transmission Security (§ 164.312(e)(1)): Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
5.4 Organizational Requirements:
5.4.1. Business Associate Contracts or Other Arrangements (§ 164.314(a)) - (This requirement will not apply to non-covered entities).
5.4.2. Requirements for Group Health Plans (§ 164.314(b)) - (This requirement will not apply to non-covered entities).
5.5 Policies and Procedures and Documentation Requirements:
5.5.1. Policies and Procedures (§ 164.316(a)): Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
5.5.2. Documentation (§ 164.316(b)): (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Implementation:
Implementation of HIPAA requirements within Lehigh’s Secure Research Cloud will be performed accordingly by LTS Staff.
HIPAA requirements implemented will be tracked and logged in the HIPAA Secure Research Cloud Security Requirements Traceability Matrix.
Lehigh conducts risk analysis to identify potential threats and vulnerabilities to ePHI and implement appropriate security measures to address those risks. Security measures are documented and reviewed periodically to ensure their effectiveness.
Non-Covered Entity Disclaimer:
If an entity (e.g., Lehigh University) does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. However, a number of organizations have called for HIPAA compliance for non-covered entities, to ensure they do not compromise patient privacy.
Additional Considerations:
Mobile Devices: If mobile devices are used to access or store ePHI, appropriate security measures must be implemented, such as encryption, password protection, and remote wipe capabilities.
Cloud Storage: If ePHI is stored in the cloud, ensure that the cloud provider meets HIPAA security requirements and that a Business Associate Agreement (BAA) is in place.
Data Disposal: When disposing of electronic media that contains ePHI, ensure that the data is properly sanitized or destroyed to prevent unauthorized access.
Enforcement:
The HIPAA Security Rule is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). OCR has the authority to investigate complaints and impose penalties for violations of the HIPAA Security Rule.
HIPAA-Compliant Committee Membership Development:
The committee will include representatives from campus non-Covered Entities:
• Non-Covered Entities
o Library & Technology Services
o Athletics Department – Not Included – For now, we will not add the athletic department due to OGC designation as FERPA
o Vacc Clinic – Not Included – For now, we will not add the Autism Clinic.
o University Communications
o Office of Institutional Integrity and General Counsel (in an advisory capacity)
o Office of Research Integrity
o Office of Enterprise Risk Management
Committee Responsibilities:
Monitoring legislative changes in privacy and security regulations
Assessing and determining campus non-compliance events, such as HIPAA breaches, and managing campus responses as determined by HIPAA regulations.
Implementing standardized policies and procedures with respect to protected health information that comply with HIPAA regulations including, but not limited to, ensuring compliance with and enforcement of PHI security, use and disclosure with other University employees as appropriate as well as external third parties.
Monitoring implementation of HIPAA policies and procedures
Maintaining a written (paper or electronic) record of actions, activities or assessments required to be documented by the HIPAA regulations. Such records may include, but are not limited to:
a. Committee Minutes
b. Committee/task force charters
c. Executive memorandums
d. Committee charterDesigning and disseminating a university-wide HIPAA annual training program that informs all staff to whom this policy applies, including management, of all policies and procedures that apply to them in their individual roles. Notwithstanding the foregoing, this training is to include non-Covered Entity staff who encounter PHI as part of their functions as appropriate.
HIPAA Security Officers:
Entity | Privacy Officer | Phone | |
Library & Technology Services | Eric Zematis | 610-758-3994 | |
Related:
HIPAA Security Rule
NIST Cybersecurity Framework
HHS Office for Civil Rights (OCR)
Definitions:
Covered Entity: A health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Protected Health Information (PHI): Individually identifiable health information that is transmitted or maintained in any form or medium, including electronic, paper, or oral.
Electronic Protected Health Information (ePHI): PHI that is transmitted or maintained in electronic media.
Breach: generally is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.
Breach Notification: refers to the notification process following a breach of unsecured protected health information that must be provided to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Business Associate: refers to a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Covered Entity: is a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Confidentiality: means that PHI data or information is not made available or disclosed to unauthorized persons or processes.
Data custodian: refers to the designated Library & Technology Services Staff members who are responsible for providing a secure infrastructure to conduct data HIPAA-compliant processing services for the University’s Secure Research Cloud. This includes software applications, data, networks, and operating systems (see the University Data Classification Policy).
Data stewards: refers to the University staff responsible for direct operational level information management, including assignment of data access permissions to users.
Disclosure: at Lehigh means the release, transfer, provision of access to, or divulgence in any other manner, of information to any organization external to Lehigh University.
Electronic Media: is the following below:
• Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, digital memory card, or videotapes; or
• Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
Electronic Protected Health Information: or EPHI: means individually identifiable health information that is:
• Transmitted by electronic media to secure websites.
• Maintained in electronic media such as being stored on the secure HIPAA drive. EPHI is not to be stored on computer hard drives, laptops, PDAs, floppy disks, rewritable devices, flash memory devices, or USB memory devices.
HIPAA Compliance Officer: refers to the individual within each Covered Entity tasked with overall responsibility for HIPAA privacy and security compliance.
Information Systems: means the workstations used within Lehigh to connect to the network and to access, store, and manipulate EPHI.
Integrity: means that PHI data or information have not been altered or destroyed in an unauthorized manner.
Limited Data Set: is Lehigh’s Secure Research Cloud redacted medical data (e.g., type) sets received from another party used for research-only purposes.
Risk: means the likelihood that a specific threat will exploit certain vulnerabilities and the resulting impact of that event.
Security Measures: means security policies, procedures, standards, and controls regarding EPHI.
Member: means persons whose conduct, in the performance of work for a non-covered entity.
HIPAA Security Officer: refers to the individual within Lehigh’s Library & Technology Services responsible for Lehigh’s HIPAA electronic security compliance.
Use: means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within Lehigh.
Workstation: includes the hardware, software, and other applications used to access EPHI stored on the network.
Revision History:
Date | Version | Description | Approval |
3/19/24 | 0.1 | Original Document | Draft |
1/8/2025 | 0.2 | Major revisions and updates | Draft |