For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Access to e-PHI on Drexel University Information Systems

Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures

Policy Title: Access to e-PHI on Drexel University Information Systems
Policy Number: IS-01
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer

Table of Contents

Applicability

This policy applies to all Covered Entities within Drexel University.

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

I. Purpose

To establish the principles and set the overall Drexel University (DU) policy framework by which access to electronic protected health information (e-PHI) on DU-owned, leased or licensed software systems, databases and networks are controlled and protected.

II. Accountability

DU's Security Officer in conjunction with the Privacy Officer shall ensure compliance with this policy. The Dean, department chairs, and faculty practice administrators shall implement this policy by means of unit- and system-specific procedures, guidelines and standards. They shall designate Data Stewards for their departments, units and systems.

III. Definitions

Electronic Information Resources – all computing machinery, networks and communication equipment and networks.

System Administrator – the designated person responsible for setting up and maintaining hardware and/or software.

Data Steward (Data Custodian) – the person designated by the Senior Vice President for Health Sciences, the Dean, department chairs, and faculty practice administrators to be responsible for the management of particular datasets of the offices, Schools or Units, and responsible for the creation or collection of the data.

IV. Policy

General Principles

  1. DU owns or licenses its computing, networking, telephony, video and other communications systems and its information resources which contain or use e-PHI and has the right to monitor them. The Security Officer has the responsibility for the security, integrity, maintenance and confidentiality of such electronic systems.
  2. Computing, networking, telephony, video and information resources of DU, including access to local, national and international networks, exist to support students, faculty and staff as they carry out the education, research, healthcare and public service missions. Toward these ends, DU encourages and promotes the use of these resources by the community.
  3. As part of the planning for new computing, networking, telephony and/or information resources in DU, a written communication to the DU Chief Information and Technology Officer will be initiated by the Department Head or designee in order to ensure adherence to the general policy and to plan for allocation of resources required for technical support.
  4. Acknowledging that security access concerns regarding e-PHI may vary from system to system, Data Stewards and System Administrators shall develop within the specific procedures for their systems, guidelines to govern the authorization of access to users. These guidelines, consistent with this policy, will encompass access for employees, students and non-employees of DU. The Security Officer shall ensure that such policies are established and render assistance to those individuals responsible for their development.
  5. Data Stewards and System Administrators shall develop and implement specific procedures to protect the rights of legitimate authorized users, to protect the integrity of the information and systems under their management and to delineate the responsibilities of users, all as regard to e-PHI in the systems. DU has the authority to control or refuse access to anyone who violates these procedures or threatens the rights of other users or the availability and integrity of the systems and the information. Actions that may be taken under this authority include deactivating accounts, access codes or security clearances; halting unauthorized or disruptive processes; deleting unauthorized or inappropriate files; and disabling access to computing, networking, telephony and other information resources.
  6. Data Stewards shall report suspected Security Incidents in accordance with IS-05, Security Incident Reporting Procedures.
  7. Users shall be trained in the basic principles of this policy as it relates to access, security and confidentiality of e-PHI. In addition, departments will train users concerning specific procedures/guidelines.
  8. A registry of contact information will be maintained and published by the Security Officer for the purpose of identifying System Administrators and Data Stewards who shall be responsible for implementing this policy in a manner appropriate to their environment.
  9. All DU electronic information resources need to be within Drexel Domain (to be protected). Any exceptions to this must be approved by the Security Officer.

Access

  1. Access to institutional databases, servers and networks that contain or use e-PHI is a privilege granted by DU, to be used only for those purposes for which the access is authorized. The nature and extent of authorized access to institutional databases, servers and networks shall be determined by:
    1. legitimate needs to fulfill job responsibilities;
    2. local/state/federal/funding agency requirements;
    3. Drexel University policies;
    4. confidentiality requirements; and
    5. state and federal laws.
  2. In general, only employees of DU shall have access to e-PHI. Under certain circumstances non-employees may be granted access under carefully monitored and restricted conditions. Such access is at the discretion of the Data Steward and/or System Administrator. The access must be justified to have benefit to the operation of the organization.
  3. Privileged access (often called root access) to operating system or database administration tools and interfaces for enterprise systems or systems housing e-PHI will be at the discretion of the Security Officer.
  4. Each individual with access to institutional databases or networks containing or using e-PHI is responsible for all actions and transactions occurring during each exercise of his or her access privilege.
  5. Each Data Steward shall have responsibility for:
    1. Approving access to the databases containing e-PHI originating in her or his department or practice;
    2. Publishing and disseminating the policies and procedures regarding access;
    3. Ensuring prompt (within 24 hours of notification) termination of access for routine changes in an individual's status, e.g., voluntary termination of employment, graduation or withdrawal from DU, or when special vendor or courtesy accounts are no longer needed;
    4. Removing accounts that are inactive or no longer needed; and
    5. Ensuring security compliance for DU or Department level systems.
  6. In instances where access is provided to a system and the applications residing therein rather than to a particular database, the management of such systems will be responsible for:
    1. Regulating system access to authorized individuals;
    2. Ensuring separation and protection of the data assets of authorized individuals;
    3. Protecting system management applications and attendant data from access by the general usership;
    4. Publishing and disseminating the policies and procedures regarding access;
    5. Ensuring prompt (within 24 hours) termination of access for routine changes in an individual's status, e.g., voluntary termination of employment, graduation or withdrawal from DU, or when special vendor or courtesy accounts are no longer needed;
    6. Removing accounts that are inactive or no longer needed; and
    7. Providing security for DU or Department level systems.
  7. The DU Security officer shall be responsible for providing DU infrastructure with the proper level of security and authentication mechanisms by which access will be restricted to specific systems, applications and data for authorized users.

Electronic Protected Health Information

  1. The categories of institutional information that shall be considered e-PHI include, but are not limited to:
    1. Patient health care and human subjects research records;
    2. Quality-assurance and peer-review information from patient care units;
    3. National Practitioner Data Bank information;
    4. Employee Assistance Program and Employee Healthcare Benefit records;
    5. Protected health information about students, employees and patients; and
    6. Medical and personal information in research records.
  2. Each Practice Administrator in conjunction with their Data Stewards may develop, publicize and enforce a Practice specific version of this policy, consistent with the provisions herein, and, for the data under his/her authority will:
    1. Identify the specific information considered e-PHI;
    2. Define internal role-based need to know and access for each type of e-PHI;
    3. Define appropriate conditions and procedures for information release, the people authorized to make releases and to receive information;
    4. Implement and enforce the standards developed by the Security Officer under which e-PHI extracted in whole or part from organizational databases may be stored on the internal or removable media of local Workstations;
    5. Establish retention rules consistent with existing federal, state and local guidelines;
    6. Assist in the promulgation of this policy with regard to general community awareness and orientation/training for individuals with access to e-PHI; and
    7. Oversee all vendors, contractors, subcontractors, consultants and external auditors whose scope of work requires access to e-PHI.

Security

  1. The security of e-PHI involves the protection of user files and system and network resources from intentional or unintentional loss, damage, inappropriate access and unauthorized disclosure or use of confidential or private information. Integrity of data is assurance that, once entered, data will not be subject to unauthorized modification intentionally or unintentionally, and that data will remain unaltered during transmission and unintelligible if intercepted between sending and receiving systems. Accountability establishes responsibility for security breaches and audit trails provide the necessary data to explain a security event and provide linkage to the originator. Issues regarding the balance of security against ease of access by authorized individuals will be arbitrated by the Security Officer. Security systems techniques include:
    1. Authentication of network users and systems, and determination of access and authorization levels (e.g., via passwords, personal identification numbers, digital signatures, token cards, smart cards, one-time passwords, biometrics);
    2. Transmission and communications security, protection of remote access points and of external electronic communications (e.g., via firewalls, encryption);
    3. Physical security of key network components;
    4. Online monitoring, logging and audit trails to maintain information about network access and transactions (e.g., logon activity logs, reference monitors, access alerts);
    5. Data integrity technologies (e.g., automated error checking, purge criteria, checksums, system backups, archives, redundant systems, anti-virus software, data disposal schedules);
    6. Ongoing system security assessment (e.g., intrusion monitoring and detection).
  2. The DU Dean, Departmental Chairs, and Practice Administrators under whom the Data Custodian serves shall be responsible for the security of e-PHI under his/her authority.
  3. Each Data Steward shall be responsible for implementing and enforcing the HIPAA Security Policies and Procedures recommended.

V. Non-Compliance and Sanctions

The failure to comply with any applicable access and confidentiality policies regarding e-PHI may result in denial or removal of access privileges to DU's electronic systems; disciplinary action under applicable DU and University policies and procedures; HIPAA Information Security Sanction Policy IS-09; civil litigation; and/or civil or criminal prosecution under applicable state and federal statutes.

 Back to Top