Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Evaluation
Policy Number: IS-10 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
To document the process by which Drexel University (DU) documents the evaluations of its operations for compliance with the HIPAA Security Rule and security of its electronic protected health information (e-PHI).
DU has instituted periodic technical and non-technical evaluations of its security procedures in order to review all facets of data security, integrity, reliability and system functionality. DU has also implemented procedures to regularly review records of information system activity.
- The Security Officer, or designee, assures that routine monitoring of each technical and non-technical procedure is done on a quarterly basis. This includes performance of routine and random audit checks in order to validate DU compliance with all policies.
- The Security Officer, or designee, performs technical and non-technical evaluation anytime there is a significant environmental or operational change affecting the security of e-PHI.
- The Security Officer, or designee, in his/her sole discretion, reviews any or all files on DU computers as deemed necessary for security purposes.
- The Security Officer, or designee, regularly monitors usage of DU computers through automatic tracking logs and by regularly observing employee conduct for inappropriate access.
- Server and application logs are reviewed daily to confirm the stability of the system and any unauthorized activities.
45 CFR § 164.308(a)(8)
Back to Top