In the January 11, 2005 issue of Almanac, we introduced the topic of HIPAA (Health Insurance Portability and Accountability Act of 1996) security and noted which areas of the University must comply with the “Security Standards for the Protection of Electronic Health Information” by April 21, 2005. This federal regulation requires covered entities to implement specific safeguards to protect the confidentiality, integrity and availability of protected health information that is in electronic form.
Penn’s HIPAA Security Team has developed a single policy to meet the minimum obligations in HIPAA. The policy is broad and allows each affected area to develop more detailed procedures that support the policy requirements as appropriate to mitigate risk. While much of the policy comes directly from the HIPAA security regulation and leaves limited opportunity for alteration, we would like to submit it for public comment in order to elicit reactions, questions, concerns and suggested changes. Please forward comments to Jim Cunningham, HIPAA Security Program Manager, at firstname.lastname@example.org or call (215) 898-5790 by March 22.
Because the University is designated as a “hybrid entity,”or one in which only some schools, offices and centers are HIPAA-regulated, and because of the complexities of the various laws governing sensitive information, applicability of the policy is not always obvious. While we believe the policy requirements are “best practice,” and (where reasonable and appropriate) should be applied to any sensitive electronic data, adherence is not required in all cases.Given the policy reflects best practices, it may be more practical for affected areas to implement policy supporting procedures to safeguard all sensitive data rather than differentiate those that are only covered by HIPAA.
—Robin Beck, Vice President, Information Systems and Computing
Policy on Security of Electronic Protected Health Information (ePHI)
HIPAA is a federal law that, among other things, focuses on protecting the privacy and security of personal health information (protected health information or PHI). This law affords certain rights to individuals regarding their PHI and imposes obligations upon many institutions that maintain such PHI. At Penn, the following entities are responsible for compliance with HIPAA privacy and security regulations: the University of Pennsylvania Health System (UPHS), the School of Medicine (SOM), the School of Dental Medicine (SODM), the Living Independently For Elders (LIFE) program, Student Health Services, and HR Benefits program, as well as workforce members of other Penn offices that, while offering support to these entities, access PHI.
While inextricably linked, the HIPAA security regulation (compliance mandated by April 21, 2005) is distinguished from the HIPAA privacy regulation (compliance mandated by April 14, 2003) in that it applies to electronic storage and transmission of PHI (ePHI), compared with the privacy regulation which applies to all forms of PHI and prescribes more detailed requirements for securing such data.
This security policy outlines minimum standards for ensuring the confidentiality, integrity and availability of electronic protected health information (ePHI) received, maintained or transmitted by all University HIPAA Covered Components (listed below), as well as other offices which support these entities (listed below as “Support Services”). Covered Components shall meet or exceed these standards by implementing the necessary administrative, physical and technical safeguards as appropriate based on their assessments of risk. Compliance by Support Services with these standards is limited to their activities that directly involve creation or receipt of ePHI in support of Covered Components and not activities related to services provided to non-covered areas of the University.
Business Associate—Any contracted entity or individual outside of Penn that creates, receives, maintains, or transmits electronic protected health information on the Covered Component’s behalf.
Covered Components and Support Services—HIPAA contains a “hybrid entity” provision that allows organizations with varied components to designate only part of their organization as HIPAA-regulated. Under the hybrid entity provisions, the University has identified regulated areas as those that are “Covered Components” or “Support Services,” as described below.
Covered Component—This term includes Penn schools or centers that are “health care providers” that conduct HIPAA standard electronic transactions or “health plans” under the Rules. At Penn, this includes: UPHS, School of Medicine, School of Dental Medicine, Living Independently For Elders (LIFE) program, Student Health Services, and the Employee Health Benefit Plan. University of Pennsylvania Health System (not listed) has separately developed policies and procedures pertaining to security practices, including those related to ePHI.
Support Services—In addition to these Covered Components, a number of department/offices (Support Services) create or receive ePHI in support of the Covered Components. These Support Services are obligated to comply with the HIPAA Security Rule only with regard to their creation or receipt of ePHI in their support of Covered Components and their covered activities, not in their support of non-covered areas within the University. Each Support Service may develop additional procedures as reasonable and appropriate given their constraints, capabilities and level of risk or may select to support this policy through awareness within their area:
• Office of Regulatory Affairs
• Institutional Review Board (eight review boards)
• Office of the General Counsel
• Office of Audit and Compliance
• University Archives and Records Center
• Office of Environmental Health and Radiation Services
• Office of Risk Management and Insurance
• Office of the President
• Office of the Provost
• Office of the Executive Vice President
• Office of Student Financial Services
• Office of Development and Alumni Relations
• Office of the Comptroller
• Office of Information Systems and Computing
• School of Nursing: Office of Technology and Information Systems, Center for Nursing Research, and Office of Business and Finance
• VPUL Technical Support
ePHI—electronic protected health information—Individually identifiable health information which is:
• Transmitted by electronic media
• Maintained in electronic media
Electronic media means:
• Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk or digital memory card; or
• Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
HIPAA—“HIPAA” is an acronym for the Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring:
1. Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
2. Protection of confidentiality and security of health data through setting and enforcing standards.
As part of the HIPAA law, Security Standards were published in the Federal Register, February 20, 2003 with the Regulation Effective Date: April 21, 2003, and Compliance Date: April 21, 2005.
Workforce—anyone accessing ePHI working with the University of Pennsylvania’s Covered Components and their shared Support Services as an employee, volunteer, student or faculty member.
Scope and Applicability
While application of this policy to any sensitive data is considered “best practice” and should be considered by all areas of the University when storing or transmitting such information, it is only mandated for those areas the University has designated as HIPAA “Covered Components.” In addition to the Covered Components, offices that support such covered activities carried out by the Covered Components must also do so according to this policy.
Certain data is specifically excluded from coverage under HIPAA, most importantly:
1. student records, except for student patient data maintained at Student Health Services
2. employment records, except for health benefits records
3. information “de-identified” under HIPAA standards
Exceptions to this policy must be documented and submitted for approval to the University Information Security Officer who will consult with the Office of General Counsel. Appeals of decisions shall be referred to the Vice President of Information Systems and Computing.
University Covered Components and Support Services as defined above shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and shall implement security measures sufficient to reduce risks and vulnerabilities. Such measures shall be implemented based on the level of risks, capabilities, and operating requirements of each office/department. These measures must include as appropriate and reasonable the following safeguards:
1. Sanctions: Appropriate sanctions against workforce members who fail to comply with the security procedures in their organization (refer to Human Resource Policy 001: Adherence to University Policy).
2. System Monitoring: Procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports.
3. Security Officer: Assignment of a single person for each Covered Component to be responsible for development and implementation of safeguards, with coordination by the University Chief Security Officer to ensure broader threats and vulnerabilities are addressed University-wide.
4. Workforce Supervision: Procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.
5. Appropriate Access: Procedures to determine that the access of a workforce member to ePHI is appropriate to support their role in business or clinical operations.
6. Access Termination: Procedures for terminating access to ePHI when employment ends or need for access no longer exists.
7. Business Associate Obligations: Ensure safeguards are contractually (appropriate language provided by Office of General Counsel) mandated with any Business Associate or transaction clearinghouse that may have access to University ePHI.
8. Access: Procedures that grant access to ePHI by establishing, documenting, reviewing and modifying a user’s right of access to a workstation, software application/transaction or process.
9. Awareness Training: Establish on-going security awareness through training or other means that provide workforce (including management) with updates to procedures and policies for guarding against, detecting and reporting malicious software. Awareness should also address procedures for monitoring log-in attempts and reporting discrepancies, as well as procedures for safeguarding passwords.
10. Incident Response: Procedures for responding to, documenting and mitigating where practicable suspected or known security incidents and their outcomes.
11. Business Continuity: Based upon an assessment of data criticality, each Covered Component will develop a contingency, data backup and business continuity plan to insure exact data backups are created, maintained and retrievable. Such procedures shall enable continuation of critical business processes for the security of ePHI while operating in an emergency mode. Periodic testing of the procedures should be done with revisions made as necessary.
12. Physical Access: Procedures to limit physical access to ePHI and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.
13. Physical Identification Validation: Access must be physically safeguarded to prevent tampering and theft. Procedures must address control and validation of a person’s access to facilities based on their role or function, including visitors, employees, faculty, students and vendors.
14. Modification and Repairs: Maintenance records should document repairs and modifications to the physical components of a facility as it relates to security.
15. Environment: Procedures that specify the proper functions to be performed, the manner in which they are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
16. Media Movement: Procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.
17. Media Final Disposition: Procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. Procedure must include process for removal of ePHI from electronic media before the media is made available for other use.
18. User Sign-on: Access rights procedures which assign unique names or numbers for identifying and tracking user identity. Such procedures shall ensure appropriate access during an emergency. Electronic sessions shall terminate automatically after a predetermined time. ePHI shall be encrypted and decrypted when necessary and appropriate for electronic transmission.
19. Data Integrity: Procedures that protect ePHI from improper alteration or destruction, which should include a mechanism to authenticate ePHI and corroborate that it has not been altered or destroyed in an unauthorized manner.
20. Authentication: Procedures or mechanisms to verify that a person or entity seeking access to ePHI is the one claimed.
21. Data Transmissions: Technical safeguards to insure ePHI transmitted over an electronic communications network is not accessed by unauthorized persons or groups, and that such information is not improperly modified without detection until disposed of.
Administrative Computing Security Policy: www.upenn.edu/computing/policy/acsp.html
Acceptable Use Policy: www.upenn.edu/computing/policy/aup.html
Critical Host Security Guidelines: www.upenn.edu/computing/security/crithost/critical_host_guidelines.html
Adherence to University Policy: www.hr.upenn.edu/policy/policies/001.asp
Plant Assets—Disposal of Computing Equipment: www.finance.upenn.edu/vpfinance/fpm/1100/1106.31.shtml
Almanac, Vol. 51, No. 22, February 22, 2005