Information Management Policy
Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Information Management Policy
Policy Number: IM-01
Effective Date: April 14, 2003; September 23, 2013
Last Revision: September 23, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
I. Policy Statement
It shall be the policy of Drexel University (DU) to capture, share, secure, maintain, and enhance the value of DU's health information assets in all mediums through appropriate information management policies and actions that meet applicable Federal, State, regulatory, or contractual requirements and support the DU mission, vision, and values. Furthermore, it shall be the policy of DU to support and adhere to the rights and responsibilities of patients as specified in the Commonwealth of Pennsylvania Public Health and Mental Health Codes.
II. Policy Purpose
The purpose of this policy is to identify and disseminate the DU framework and principles for information management that guide our institutional actions and operations in protecting, generating, and sharing individually identifiable health information in support of the DU mission, vision, and values.
Access – The ability of a data user or application process to read, write, modify, or communicate information or otherwise make use of an information asset.
Access Profile – A list of the applications and/or databases a user (or application process) is permitted to access, and the access levels granted in each of those applications and/or databases.
Assigned Access Category – A category of access assigned each employee and faculty member that is chosen to match the duties of the position held. Each category requires the completion of specific training modules.
Account Administration – The process by which authorized data users are assigned accounts (sign-ons) to the DU health information assets using the access controls (profiles) prepared by Data Managers.
Account Administrator – The individual acting at the direction of the Data Manager who implements controls on access to information assets by applying formal guidelines and practices to functions such as assigning user access codes, revoking user access privileges, and setting file protection parameters. (The roles of account and system administrator may be combined for smaller databases.)
Audit – A formal review and identification of access to an information asset by an individual, organization, or application process.
Authentication – The process by which a user (or application process) identifies her or himself to an information system or resource. The user is required to provide at least one of the following unique elements:
- Something that the user knows (such as a password or a personal identification number);
- Something that the user has in her possession (such as a token or access card).
Authorization – Documented approval to access the DU health information assets based on the user's need to know.
Authorization and Access Control (AAC) Process – The process in which Departmental Administrators request access for members of their department based on those members' roles and their role-based need to know, and Data Managers ensure that the needed access to applications is made available.
Authorized Access Database (AAD) – The centralized repository of information about all of the DU Authorized Data Users, under the responsibility of one administrator. The Authorized Access Database must include at a minimum:
- User name and a unique identifier;
- User login ID;
- Date access last changed, and start and stop date for authorized use of an account and/or application;
- User's Departmental Administrator or Delegated Access Coordinator;
- Application ID for each application; and
- User's authorized access profile for each application.
Authorized Data User (ADU) – Individuals who have been granted authorization through the Authorization and Access Process to access specific DU health information assets in the performance of their assigned duties or in fulfillment of their role in DU. Authorized Data Users include, but are not limited to, faculty and staff members, employees, trainees, students, vendors, volunteers, contractors, and other affiliates of DU as well as external users who have been granted accounts on DU health information assets under the terms of an information sharing agreement.
Business Owner – The senior DU official (and his/her staff) having policy-level responsibility for managing a segment of the DU information assets by the Data Steward, e.g. Departmental Chairs, Department Administrators. (The Business Owner has the role of Delegated Data Steward, as described by DU, Data Administration Guidelines for Institutional Data Resources.)
Certification – Evaluation of the computer system(s), storage media, network(s), information transmissions, operating systems, and applications design supporting the DU health information assets that confirms that the appropriate security measures have been implemented in accordance with DU policies.
Consent – The voluntary agreement of an informed and competent individual or their legal guardian for a given action relative to the individual (including the release of information). See individual entity policies.
Contingency Plan – A routinely updated plan for responding to an emergency. At a minimum, it must include a data backup and disaster recovery plan.
Data Manager – DU Official and their staff who have been given operational level responsibility for the capture, maintenance, and dissemination of specific data by the appropriate Data Steward or Business Owner (Delegated Data Steward).
Data Steward – The DU Executive Officer having policy-level responsibility for managing a segment of the DU information resource. For DU, the official data steward is the Dean or their designee.
Delegated Access Coordinator – An individual within a department or external entity designated by the Department Administrator (or Information Sharing Agreement, in the case of external entities) to:
- Define, in consultation with the appropriate Data Managers, departmental access profiles for members of their department/unit by listing roles within the department and the appropriate level of access for individuals in those roles based on their need to know.
- Notify the AAD Administrator when personnel status changes require access changes (e.g. hiring, termination, suspension, transfer).
Directed Communication/Solicitations – The use of individually identifiable health information to promote fundraising, educational opportunities, special research or clinical activities, new forms of treatment, or notification of DU events. Contact with a patient to discuss or provide information related to the above activities is not considered directed communication/solicitations if the inquiry is initiated by the patient.
Disclosure – The release of information to third parties about an individual which requires the individual's consent or release due to a legal or regulatory requirement.
Encryption – The reversible conversion of readable information into an unreadable protected form so that only a recipient who has the appropriate "key" can convert the information back into its original readable form.
Health Information Asset – Any individually identifiable health information, in any form, on any medium.
Health Insurance Portability and Accountability Act (HIPAA) – Federal statute requiring, among other things, the adoption of standards for the security and privacy of individually identifiable health information.
Individually Identifiable Health Information – Any information, including demographic and/or scheduling information collected about an individual, that
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse or any employee of the above; and
- Relates to the past, present or future physical and/or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
- Identifies the individual, or
- With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
All of the following are considered by DU to fall into this category:
- Patient information collected by DU (and American Academic Health System (AAHS)) or member information collected (e.g. transferred medical records, correspondence, telephone calls, e-mail, etc.); or
- Patient information generated by DU (and AAHS) or member information generated; or
- Information entrusted by the individual to a clinical staff member, employee vendor, volunteer, student or other affiliate of DU; or
- Any knowledge a clinical staff member, employee, vendor, volunteer, student or other affiliate of DU gains in the course of fulfillment of his or her appointed role in DU regarding the individual; or
- Research information collected, generated, maintained or disseminated by DU that identifies individuals, or when combined with other data can reasonably lead to the identification of individuals.
Information Asset – Any data in any form on any media.
Information Security Committee (ISC) (security oversight entity) – That DU entity documented as formally assigned the responsibility for defining procedures to assure the security, integrity, and confidentiality of the DU health information assets. This responsibility includes but is not limited to the oversight of:
- the use of security measures to protect data;
- the conduct of personnel in relation to the protection of data; and
- the coordination of the AAC process and procedures with other operational entities necessary to provide for the security, integrity, and confidentiality of DU health information assets.
Membership of the ISC shall, at a minimum, include representatives from Medical Information Services, DU Legal Office, Finance, the Human Resources Department, the Office of Clinical Affairs, the Institutional Review Board, the Compliance Committee, the DU Medical School, the House Officers' Association, and relevant information technology organizations.
Information Sharing Agreement (also known as, and referred to in HIPAA as, a "Chain of Trust Agreement") – A contract entered into by two parties in which they agree to exchange data while maintaining its security and confidentiality. Part of administrative procedures to guard data integrity, confidentiality and availability. For a description of the factors that must be present in an information sharing agreement between DU and any external entity seeking access to DU health information assets, see DU Policy IM-03, "Sharing Organizational Data with External Entities."
Legally Restricted Information – individually identifiable health information for which disclosure is specifically subject to additional legal requirements imposed by statute or administrative rule.
Need to know – The principle that states that a user should access only the specific information necessary to complete his or her assigned job functions.
This principle is applied in two main contexts:
- Departmental Administrators (or their Delegated Access Coordinators) apply this principle in determining the assignment of access categories and appropriate level of access to databases and/or applications needed by people in different roles in their department.
- Authorized Data Users apply the principle every time they decide whether to access a specific individual's record or not, even if they have been granted full access to the application in which the record resides. Once access to a database and/or application has been authorized, the authorized data user is still obligated to assess the appropriateness of each specific access on a need to know basis. See DU Policy IM-02 "Minimum Necessary" for further discussion and examples of this definition.
Notice of Privacy Practices – A written notice of DU policies and procedures regarding the use and disclosure of protected health information provided to each patient.
System Administrator – The individual responsible for the functions of installing, maintaining, and operating hardware and software platforms (system environments). (The roles of system and account administrator may be combined for smaller databases.)
IV. Policy Standards
- All persons with access to DU health information assets may only have such access on a need to know basis and must be approved and verified as Authorized Data Users at regular intervals (but no less than annually) by the appropriate Departmental Administrator (or Delegated Access Coordinator).
- It is the responsibility of every Authorized Data User to maintain confidentiality of the DU health information assets even if technical security mechanisms fail or are absent. A lack of security measures to protect the confidentiality of information does not imply that such information is public.
- Each clinical staff member, employee, trainee, student, vendor, volunteer, or contractor, or other affiliate of DU with access to DU health information is subject to and has the responsibilities outlined in this policy as well as those outlined in their organization's policy on confidentiality of information. For external entities, the Information Sharing Agreement covers this, see the DU Policy IM-03 "Sharing Organizational Data with External Entities."
- Individually identifiable health information is the property of the individual to whom the information pertains and DU is the steward of that information and the owner of the storage medium.
- If an Authorized Data User elects to place individually identifiable health information onto personally-owned media or storage devices (e.g. PDAs, floppy disks, case logs, note cards), he or she is responsible for ensuring that its security, confidentiality, and integrity are maintained according to this policy, and he/she is individually responsible for any breaches that occur as a result of his/her actions.
- A person must be identified by the Data Steward (or Business Owner) as the Data Manager for each DU health information asset.
- The DU HIPAA Privacy and Security Committee shall provide assistance to the DU community on interpretation of existing policy, cataloging of DU health information assets and individually identifiable health information, monitoring and tracking violations and appeals, identifying areas of risk, defining security controls, and maintaining the AAD in collaboration with other departments that hold information about individuals' job status and access privileges.
- All DU health information assets containing individually identifiable health information in any medium must be registered by the appropriate Data Manager in the Authorized Access Database.
- If any DU staff member chooses to maintain a database containing individually identifiable health information generated in the course of performing professional responsibilities, he/she will be responsible as Data Manager for that database and must follow all applicable rules.
- Individuals have the right to correct inaccurate individually identifiable health information. The appropriate process for validating and processing such corrections is performed individually by each organization, as specified in DU policies (see, e.g., Information Management Policy IM-05, "Individual right to request correction to inaccurate individually identifiable health information" policy). Each Data Manager is responsible for ensuring that validated correction requests relevant to the DU data assets under his/her control are implemented.
- In order to protect the individually identifiable health information entrusted to DU, all directed communication/solicitations shall adhere to The DU Policy IM-12 "Fundraising and Marketing".
- DU HIPAA Privacy and Security Committee shall create, administer and oversee policies to ensure the prevention, detection, containment and correction of breaches of security, integrity, and confidentiality.
- DU HIPAA Privacy and Security committee shall evaluate and certify that appropriate security systems and measures are implemented. For external entities, this is part of the Information Sharing Agreement.
- The security management process shall be the responsibility of the Business Owner, according to the guidelines set by the DU HIPAA Privacy and Security committee and must include, at a minimum, the implementation of:
- Risk analysis, based on information asset contents and user population, to determine the likely occurrence and severity of loss of potential incidents.
- Risk management including formal, documented procedures for monitoring, detection, auditing, reporting, and responding to breaches of security, integrity, and confidentiality.
- A disciplinary process including procedures for the potential discipline, up to and including dismissal, for misuse, misappropriation of data, or acts of omission or commission which result in breaches of security, integrity, or
- The prevention of access to DU health information assets by unauthorized or untrained personnel shall be addressed by personnel security policies, including provisions that:
- Ensure that all personnel with access or potential access to DU health information assets have gone through personnel clearance procedures – they have been screened, are specifically authorized for that access, are trained in relevant DU confidentiality policies, and have attested knowledge of and compliance with those policies.
- Ensure that operating and maintenance personnel are given the access necessary for them to perform their system maintenance responsibilities without compromising individually identifiable health information.
- Ensure that personnel performing maintenance activities related to DU health information assets are supervised by authorized, knowledgeable persons.
- Require maintenance of records of those granted physical access to DU health information assets.
- Employ personnel security policy/procedures.
- Ensure that system users, including technical maintenance personnel, are trained in system security.
- The security management process shall be the responsibility of the Business Owner, according to the guidelines set by the DU HIPAA Privacy and Security committee, and must include, at minimum, formal, documented policies and procedures to limit physical access while ensuring that properly authorized access is allowed, including contingency planning for how security is to be maintained in the event of an emergency. These controls shall include, but not be limited to:
- Applications and data criticality analysis.
- A data backup plan.
- Disaster recovery.
- Emergency mode operation.
- Equipment control (into and out of site) including workstation and laptop computers.
- A facility security plan coordinated with Hospital Security Services and/or any other relevant security organizations.
- Procedures for verifying access authorizations prior to physical access.
- Maintenance records.
- Need-to-know procedures for personnel access.
- Sign-in for visitors and escort, if appropriate.
- Testing and revision.
- To ensure that appropriate access control of DU health information assets are in place and to fulfill the obligation to keep information timely, accurate, complete, and confidential, all information systems and application programs must adhere to the following principles:
- Data Stewards, Business Owners, Data Managers, Account and System Administrators are accountable for ensuring that the information security policies are fully executed.
- Information systems and application programs must provide mechanism to control authentication, authorization, and audit.
- All members of the DU "community" shall be assigned a unique DU.EDU name identifier. The user assigned a specified account shall be the sole user of that account and its associated identification methods; they shall not be shared. Identification methods include, but are not limited to, login names or IDs, password and pass phrases, digital certificates and signatures, PIN, and other forms of personal identification.
- Authentication shall include establishment of criteria for account eligibility, creation, maintenance, and expiration.
- When passwords are used as an authentication mechanism, a password shall be present, be of a minimal length, be changeable by the end user, be encrypted, be non-reusable (uniqueness) and have a timed forced renewal.
- Intruder detection and lockout (maximal limit of 3-5 attempts with a 15-30 minute timeout upon violation) shall be set on for the account.
- Electronic communication of and exchange of health information that occurs over open networks such as the Internet must include strong authentication, adequate encryption, and effective administration of keys and passwords for encryption.
- Applications shall provide an automatic logoff/lockout after a specified period of inactivity of interaction with that application; a user shall re-authenticate to gain access to the application. The period of inactivity shall be long enough to provide for continuous user interaction with the application, yet short enough not to permit access to a possibly unattended session (no longer than 7 minutes).
- One authoritative source shall hold the identifications for DU.EDU users, information systems, applications, and their processes. This authoritative source shall include the identification information of application processes that access DU health information assets for purposes of capturing, providing, and/or receiving information.
- External data users shall have access to DU health information assets only upon the completion of an Information Sharing Agreement with DU, as described in the Information Management Policy IM-03, "Sharing Information with External Entities."
- There may be cases in which a state, federal, or regulatory agency requires that it be granted access to DU health information assets under law or regulation. In such cases, to the extent possible, an Information Sharing Agreement meeting the criteria listed in the DU University Policy IM-03, "Sharing Information with External Entities," shall be negotiated between DU and the agency before access is granted to the DU data assets.
- Individually identifiable health information that is subject to additional specific Pennsylvania legal restrictions shall be subject to the additional safeguards and processes specified. Requests for access to information that is Legally Restricted must be processed in accordance with release of information procedures as specified in DU Policy IM-10.
- All data users shall receive education on the expectations, knowledge, and skills related to information security prior to being given access to DU health information assets. DU supervisors shall verify that potential Authorized Data Users under their supervision have received security education and attested to the DU Policy IM-08 "Training requirements".
- To the extent technologically practical, system administrators shall maintain ongoing internal audit processes that record system activity such as log-ins, file accesses, and security incidents.
- To the extent that an audit trail shows access to an individual's individually identifiable health information, it shall be made accessible to that individual at the individual's request in the event that questions arise about improper access to his or her records.
- All Authorized Data Users, both internal and external, shall be made aware, as a part of the AAC process and the supervisory educational process, that records of data access by users are a capability of all DU health information assets subject to this policy (to the extent technologically practical) and that, from time to time or as indicated by events and circumstances, such access audits may be conducted.
- Should evidence of data access outside that granted through the AAC process be discovered it might result in revocation of access rights.
- Breaches of confidentiality under this policy are subject to appropriate disciplinary action up to and including discharge or termination of contract/relationship.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191 (1996).
Back to Top