Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Security Checklists & Policies
Secure desktop computing
Secure servers
Secure web applications
Tips for safe computing
Computing policies
Harrassment & forgery
Hoaxes, frauds & scams
Spam & Email relays
Encryption & digital signatures

More in-depth information for
Local support providers
System administrators
Application developers

Security initiatives
Critical Host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)

Related links
Electronic privacy
Worms, trojans, backdoors

Policy on Security of Electronic Protected Health Information (ePHI)

Policy of Record Almanac 4/5/2005

Key Principles:

HIPAA is a federal law that, among other things, focuses on protecting the privacy and security of personal health information ("protected health information" or "PHI"). This law affords certain rights to individuals regarding their PHI and imposes obligations upon many institutions that maintain such PHI. At Penn, the following entities are responsible for compliance with HIPAA privacy and security regulations: the University of Pennsylvania Health System ("UPHS"), the School of Medicine ("SOM"), the School of Dental Medicine ("SODM"), the Living Independently For Elders ('LIFE") program, Student Health Services, and HR Benefits program, as well as workforce members of other Penn offices that, while offering support to these entities, access PHI.

While inextricably linked, the HIPAA security regulation (compliance mandated by April 21, 2005) is distinguished from the HIPAA privacy regulation (compliance mandated by April 14, 2003) in that it applies to electronic storage and transmission of PHI ("ePHI"), compared with the privacy regulation which applies to all forms of PHI) and prescribes more detailed requirements for securing such data.

This security policy outlines minimum standards for ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI) received, maintained or transmitted by all University HIPAA Covered Components (listed below), as well as other offices which support these entities (listed below as "Support Services"). Covered Components shall meet or exceed these standards by implementing the necessary administrative, physical and technical safeguards as appropriate based on their assessments of risk. Compliance by Support Services with these standards is limited to their activities that directly involve creation or receipt of ePHI in support of Covered Components and not activities related to services provided to non-covered areas of the University.


Business Associate - any contracted entity or individual outside of Penn that creates, receives, maintains, or transmits electronic protected health information on the Covered Component's behalf.

Covered Components and Support Services -HIPAA contains a "hybrid entity" provision that allows organizations with varied components to designate only part of their organization as HIPAA-regulated. Under the hybrid entity provisions, the University has identified regulated areas as those that are "Covered Components" Or "Support Services," as described below.

Covered Component - This term includes Penn schools or centers that are "health care providers" that conduct HIPAA standard electronic transactions or "health plans" under the Rules. At Penn, this includes: UPHS, School of Medicine, School of Dental Medicine, Living Independently For Elders (LIFE) program, Student Health Services, and the Employee Health Benefit Plan. University of Pennsylvania Health System (not listed) has separately developed policies and procedures pertaining to security practices, including those related to ePHI.

Support Services -- In addition to these Covered Components, a number of department/offices (Support Services) create or receive ePHI in support of the Covered Components. These Support Services are obligated to comply with the HIPAA Security Rule only with regard to their creation or receipt of ePHI in their support of Covered Components and their covered activities, not in their support of non-covered areas within the University. Each Support Service may develop additional procedures as reasonable and appropriate given their constraints, capabilities, and level of risk or may select to support this policy through awareness within their area.

Office of Regulatory Affairs
Institutional Review Board (eight review boards)
Office of General Counsel
Office of Audit and Compliance
University Archives and Records Center
Office of Environmental Health and Radiation Services
Office of Risk Management and Insurance
Office of the President
Office of the Provost
Office of the Executive Vice President
Office of Student Financial Services
Office of Development and Alumni Relations
Office of the Comptroller
Office of Information Systems and Computing
School of Nursing Office of Technology and Information Systems, Center for Nursing Research, and Office of Business and Finance
VPUL Technical Support

ePHI - electronic protected health information - Individually identifiable health information which is:

Transmitted by electronic media;
Maintained in electronic media;

Electronic media means:

Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or

Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

HIPAA - "HIPAA" is an acronym for the Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring:

1. Improved efficiency in healthcare delivery by standardizing electronic data interchange, and

2. Protection of confidentiality and security of health data through setting and enforcing standards.
As part of the HIPAA law, Security Standards were published in the Federal Register, February 20, 2003 with the Regulation Effective Date: April 21, 2003, and Compliance Date: April 21, 2005
Workforce - Anyone accessing ePHI working with the University of Pennsylvania's Covered Components and their shared Support Services as an employee, volunteer, student, faculty member

Scope and Applicability:

While application of this policy to any sensitive data is considered "best practice" and should be considered by all areas of the University when storing or transmitting such information, it is only mandated for those areas the University has designated as HIPAA "Covered Components". In addition to the Covered Components, offices that support such covered activities carried out by the Covered Components must also do so according to this policy.

Certain data is specifically excluded from coverage under HIPAA, most importantly:
(1) student records, except for student patient data maintained at Student Health Service
(2) employment records, except for health benefits records
(3) information "de-identified" under HIPAA standards


Exceptions to this policy must be documented and submitted for approval to the "University Information Security Officer who will consult with the Office of General Counsel. Appeals of decisions shall be referred to the Vice President of Information Services and Computing.

Policy Requirements:

University Covered Components and Support Services as defined above shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and shall implement security measures sufficient to reduce risks and vulnerabilities. Such measures shall be implemented based on the level of risks, capabilities, and operating requirements of each office/department. These measures must include as appropriate and reasonable the following safeguards:

Administrative Safeguards

1. Sanctions: Appropriate sanctions against workforce members who fail to comply with the security procedures in their organization (refer to Human Resource Policy 001:Adherence to University Policy)
2. System Monitoring: Procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports.
3. Security Officer: Assignment of a single person for each Covered Component to be responsible for development and implementation of safeguards, with coordination by the University Chief Security Officer to ensure broader threats and vulnerabilities are addressed University wide.
4. Workforce Supervision: Procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.
5. Appropriate Access: Procedures to determine that the access of a workforce member to ePHI is appropriate to support their role in business or clinical operations.
6. Access Termination: Procedures for terminating access to ePHI when employment ends, or need for access no longer exists.
7. Business Associate Obligations: Ensure safeguards are contractually (appropriate language provided by Office of General Counsel) mandated with any Business Associate or transaction clearinghouse that may have access to University ePHI.

Physical Safeguards

8. Access: Procedures that grant access to ePHI by establishing, documenting, reviewing, and modifying a user's right of access to a workstation, software application/transaction, or process.
9. Awareness Training: Establish on-going security awareness through training or other means that provide workforce (including management) with updates to procedures and policies for guarding against, detecting, and reporting malicious software. Awareness should also address procedures for monitoring log-in attempts and reporting discrepancies, as well as, procedures for safeguarding passwords.
10. Incident Response: Procedures for responding to, documenting, and mitigating where practicable suspected or known security incidents and their outcomes.
11. Business Continuity: Based upon an assessment of data criticality, each Covered Component will develop a contingency, data backup and business continuity plan to insure exact data backups are created, maintained, and retrievable. Such procedures shall enable continuation of critical business processes for the security of ePHI while operating in an emergency mode. Periodic testing of the procedures should be done with revisions made as necessary.
12. Physical Access: Procedures to limit physical access to ePHI and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.
13. Physical Identification Validation: Access must be physically safeguarded to prevent tampering and theft. Procedures must address control and validation of a person's access to facilities based on their role or function, including visitors, employees, faculty, students, and vendors.
14. Modification and Repairs: Maintenance records should document repairs and modifications to the physical components of a facility as it relates to security.
15. Environment: Procedures that specify the proper functions to be performed, the manner they are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
16. Media Movement: Procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.
17. Media Final Disposition: Procedures to address the final disposition of ePHI, and /or the hardware or electronic media on which it is stored. Procedure must include process for removal of ePHI from electronic media before the media is made available for other use.

Technical Safeguards

18. User Sign-on: Access rights procedures which assign unique names or numbers for identifying and tracking user identity. Such procedures shall ensure appropriate access during an emergency. Electronic sessions shall terminate automatically after a predetermined time. ePHI shall be encrypted and decrypted when necessary and appropriate for electronic transmission
19. Data Integrity: Procedures that protect ePHI from improper alteration or destruction, which should include a mechanism to authenticate ePHI and corroborate that it has not been altered or destroyed in an unauthorized manner
20. Authentication: Procedures or mechanisms to verify that a person or entity seeking access to ePHI is the one claimed.
21. Data Transmissions: Technical safeguards to insure ePHI transmitted over an electronic communications network is not accessed by unauthorized persons or groups, and that such information is not improperly modified without detection until disposed of.

Policy References:

Administrative Computing Security Policy

Acceptable Use Policy

Computer Security Policy


Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania