For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Appointment of Security Officer

Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures

Policy Title: Appointment of Security Officer
Policy Number: IS-03 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer

Table of Contents

Applicability

This policy applies to all Covered Entities within Drexel University.

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

I. Purpose

Drexel University (DU) recognizes and acknowledges the importance of the HIPAA Security Rule and has appointed a Chief Information Security Officer (CISO). The following job description outlines the duties and responsibilities of the Security Officer.

II. Policy

  1. Oversee HIPAA Security Compliance Efforts
    1. Oversee and monitor the development and implementation of the Security Compliance Program;
    2. Ensure compliance with the HIPAA Electronic Transactions Standards and HIPAA Security Standards;
    3. Ensure proper back-up systems for all data stored, received and transmitted;
    4. Oversee the development of and manage the Disaster Recovery Plan;
    5. Establish methods and periodically audit DU to ensure its efficiency and quality and to reduce vulnerability to exposure areas;
    6. Coordinate compliance efforts with the Privacy Officer, Personnel and DU department managers as needed; and
    7. Prepare and present regular reports to the Audit and Legal Committee of the Board of Directors and to DU management on DU HIPAA Security compliance or delegate such reporting to the Privacy Officer as appropriate.
  2. Develop Training/Education Programs
    1. Together with the Privacy Officer, develop and implement training and education programs for all DU employees (staff and providers) and students in the area of security and integrity of protected health information (PHI);
    2. Ensure that independent contractors and investigators who furnish services to DU are aware of the requirements of the DU HIPAA Privacy and Security Program;
    3. Develop mechanisms to receive and investigate reports of non-compliance;
    4. Take corrective actions to resolve non-compliance; and
    5. Develop policies and programs that encourage employees to report non-compliance without fear of retaliation.
  3. Implement the Security Regulation Policies and Procedures
    1. Maintain current and effective security policies and procedures;
    2. Conduct periodic audits in the following areas:
      • Staff compliance with security policies and procedures;
      • Log of transmissions emanating from DU; and
      • Password access systems;
    3. Other areas as deemed appropriate;
    4. Conduct ongoing educational programs together with the Privacy Officer;
    5. Circulate and distribute all HIPAA Security updates;
    6. Investigate all breaches of security and complaints of alleged breaches with the assistance of the Privacy Officer;
    7. Take prompt corrective actions where necessary;
    8. Respond to compliance related inquiries;
    9. Act as liaison with information system hardware and software vendors; and
    10. Act as liaison with legal counsel.
  4. Documentation
    1. Maintain all logs regarding security plan compliance efforts, investigations and the like in a secure location; and
    2. Maintain logs of staff training efforts.

III. References

45 CFR §164.308(a)(2)

 Back to Top