HIPAA Security Policies and Procedures
Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Effective Date: April 20, 2005
Date of Last Revision: April 30, 2018
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This document outlines the Drexel University (DU) policies, procedures, and standards of conduct designed to ensure the compliance of employees, faculty, staff and students (Workforce Members) with applicable federal laws and regulations, particularly the HIPAA Final Security Rule promulgated at 45 CFR §§ 160, 162 and 164 under the Health Insurance Portability and Accountability Act of 1996 (Security Rule), the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (HITECH) and the final HIPAA rule that implements a number of provisions of HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA (the Omnibus Rule). The purpose of these is to ensure the confidentiality, integrity and availability of all electronic protected health information (e-PHI) that DU creates, receives, maintains or transmits. Failure to abide by the rules, policies and procedures or behavior in violation of the Security Rule may result in disciplinary action, as outlined in the Human Resources Policy Manual.
Willful failure by any employee to comply with these policies and procedures, will result in employment dismissal and may result in the employee being directly liable under HIPAA for fines and penalties. Consult the Human Resources Policy Manual or the HIPAA Security Officer or other Compliance Personnel if you have any questions about our DU commitment to effective compliance routines. Willful failure by any non-employee Workforce Member may also result in sanctions and may subject such individual to fines and penalties under HIPAA.
Back to Top
II. Compliance Mission Statement
DU strives at all times to maintain the highest degree of integrity in its interactions with patients and the delivery of quality health care. DU and its Workforce Members will at all times strive to maintain compliance with all laws, rules, regulations and requirements affecting the practice of medicine and the handling of patient information. Protecting the security of an individual's e-PHI is a critical concern to DU, and to the trust our patients offer in our treatment of their medical issues.
Back to Top
III. Expectation of Privacy
As outlined in the Security Policies, DU periodically reviews logins, and audits its systems for securing e-PHI and PHI. No Workforce Member should have any expectation for any privacy in any material stored, sent or retrieved from or in any system, server or workstation. Thus, only information that furthers the mission of DU should be downloaded from the Internet. (See DU E-Mail Policy, IRT-1, and Acceptable Use Policy, IRT -2.) Likewise, there should never be any retrieval of or transmission of any e-PHI, except as specifically authorized by DU policies.
Back to Top
IV. Administrative Safeguards
DU has implemented administrative policies and procedures to prevent, detect, contain and correct security Violations relative to e-PHI. These policies and procedures are described in the following sections.
- Security Management Process
- Risk Analysis
DU has conducted an accurate and thorough assessment of the potential risks and vulnerabilities of the confidentiality, integrity and availability of e-PHI held in its computer systems including both on-site attacks and Internet attacks. When the Security Officer believes any risks exist, the Security Officer addresses each risk and completes a risk mitigation report. (See Policy IS-02, Risk Analysis.)
DU has implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule as detailed in this and related documents. Such security measures include migration to a self-managed network and contracting for a new billing system and electronic medical record system (EMR) to reside on the new network, building alarms, zone protection, network security policies, firewalls, server operating system updates and data port security. Only authorized personnel may access certain levels of the computer system. Unauthorized or malicious access may be subject to legal action, employment sanctions, or termination of access as set forth herein.
- Risk Management
As part of its risk management procedure, DU logs and tracks authorized and unauthorized access to any part of the computer system. In addition, DU's computer system is designed to automate proper access for certain personnel and deny access to all unauthorized personnel. Furthermore, physical access to e-PHI is protected by keys and/or key pad coded alarm systems and monitored by at all times. (See IS-02.)
- Sanction Policy
DU will apply appropriate sanctions against Workforce Members who fail to comply with the security policies and procedures, as detailed in DU's Privacy and Security Policies and per the Human Resources Policy Manual. Contact the Privacy Officer to review a copy of these sanctions. Unauthorized access by Workforce Members may result in removal from the premises, termination of employment, termination of access privileges, and legal action and may subject such Workforce Member to fines and penalties under HIPAA. (See IS-09, Sanctions.)
- Information System Activity Review, Login Monitoring
DU has implemented procedures to regularly review records of information system that contain e-PHI. The Security Officer or his/her designee, in his/her sole discretion, reviews any or all files contained on DU computers. In addition, the Security Officer or his/her designee regularly monitors usage of DU computers through automatic tracking logs and by regularly observing employee conduct for inappropriate access. (See IS-10, Evaluation.)
Furthermore, server and application logs are stored at all times and real-time. Real-time means that logs are stored when each event occurs and needs to be logged. Logs are viewed daily to confirm 2 things: stability of the system and any unauthorized activities.
- Assigned Security Responsibility
DU has appointed a Chief Information Security Officer (Security Officer) to oversee the security of DU's information and technology systems. (See IS-03, Security Officer.) The Security Officer is generally charged with the following responsibilities:
- oversee and monitor the implementation of the Security components of the HIPAA Privacy and Security Compliance Program;
- prepare regular reports with the Privacy Officer for presentation to the Audit and Legal committee of the Board of Directors and DU management, on DU HIPAA Security compliance;
- develop and implement a training program focusing on the security components of the HIPAA Privacy and Security Compliance Program, and ensure that training materials are appropriate for all DU employees;
- ensure that independent contractors who furnish information services to DU are aware of the requirements of DU's HIPAA Privacy and Security Compliance Program;
- coordinate security compliance efforts within DU and establish methods such as periodic audits, both to improve DU's efficiency and quality of services and to reduce DU's vulnerability to security abuse;
- revise the DU HIPAA Security Policies and Procedures periodically, in light of changes in the needs of DU, or changes in the law, or of Government and private payor health plans;
- develop mechanisms to receive and investigate reports of non-compliance and monitor subsequent corrective action and/or compliance;
- develop policies and programs that encourage employees to report non-compliance without fear of retaliation.
The requirements of this position are expected to be modified over time, as DU's situation changes.
Isolating Healthcare Clearinghouse Function
- Authorization, Supervision, Clearance Procedure
The Security Officer determines which Workforce Members appropriately have access to e-PHI. All Workforce Members who are allowed access to e-PHI are assigned a specific level of access, so that some people may be permitted greater access to more e-PHI than other individuals. Likewise, the Security Officer may assign passwords for various individuals. Those passwords are to be used only by the individual to whom they are assigned and only during office hours. No person may share either a login or a password with any other person. Passwords and logins should be committed to memory and not written down in any discoverable location.
Workforce Members who do not need access to e-PHI, or otherwise, cannot obtain such access, as they are intended not to have such access. Therefore, information should not be shared with them. (See IS-08, Assignment and Management of Access Privileges.)
- Termination Procedures
When an individual's employment with DU ends for any reason, that employee's access to e-PHI and the facility is terminated by removing his or her user ID from DU computers and seeking return of any other means of physical access (keys, ID numbers, etc.). In addition, the employee is required to turn in PDAs, access codes, portable computers and other DU property, tangible or intangible. (See IS-08.)
DU currently does not perform any healthcare clearinghouse functions. However, in the future, if DU does perform clearinghouse functions, a procedure will be developed to ensure data security, reliability and integrity. In addition, DU requires any clearinghouse it works with to be HIPAA compliant and has entered into business associate and/or confidentiality agreements as necessary.
Security Awareness and Training
Security Incident Procedures, Response and Reporting
- Security Reminders
DU will conduct periodic security awareness training on an ongoing basis with the twin goals that:
- all employees will receive training on how to perform their jobs in compliance with the security policies of DU and any applicable regulations; and
- each employee will understand that HIPAA security compliance is a condition of continued employment.
All Workforce Members are required to participate in at least one DU HIPAA Security awareness/training program per year. These programs are likely to be in-house web-based programs. Additionally, the HIPAA Security Officer distributes periodic Security Reminders. Knowledge of each "Security Reminder" and completion of any required action is the responsibility of every Workforce Member user on the network.
All original educational and training materials received by a Workforce Member at approved programs shall be the property of DU and shall be maintained in a designated location for review. (See IS-04, Training and Awareness.)
- Protection from Malicious Software
DU's network has anti-virus scanning software installed. Updates to that software are made as they become available. Daily anti-virus scans are performed. DU Acceptable Use policies are in place. (See IRT-2 Acceptable Use Policy.) All Workforce Members are required to review the E-mail use section in the DU Human Resource Policy Manual. (See IRT-1; IS-15, Electronic Transmission Security of PHI.)
The Security Officer notes any Security Incidents he/she is aware of in DU’s incident log, and addresses them on a case-by-case basis. A "Security Incident" under HIPAA means any "attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system." Each employee will be contacted directly and individually if a problem arises. The Security Officer or his/her designees will perform the following steps in response to potential security Violations: (1) isolate the problem; (2) report the incident; (3) log the incident; and (4) correct the issue (if possible). Each employee/system user is responsible for following Policy IS-05 "Security Incident Reporting" if a Security Incident is confirmed or suspected. Policy IM-24 sets forth the procedures DU will follow with respect to its investigation of all reports.
Contingency, Data Backup, Disaster Recovery, Emergency Mode Operations, Testing and Revisions
DU periodically backs up its critical computer systems, and stores the back-ups in off-site locations. If an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) damages DU operational systems hardware or software that contain e-PHI, the Security Officer (or designated representative) shall authorize the use of back-up data to resume operations. In that case, DU would restore the system to its last operational state. The Security Officer (or designated representative) operates the system from that location until the disaster situation is remedied.
This procedure is tested when the Security Officer (or designee) installs new software programs which will contain e-PHI, to ensure data can be fully and effectively backed up, restored and operational as soon as possible.
In addition, DU has established a Disaster Recovery Plan that covers simple hardware failures as well as more critical system failures due to a catastrophic event. The Disaster Recovery Plan establishes procedures for both controllable and uncontrollable events. "Controllable" events are disasters that can be subdued by human work such as building fires, power failures, pipe leaks/bursts, etc. In a controllable event, DU retains the ability to either immediately repair the system or rebuild using data stored at an off-site back up. DU has also established procedures for uncontrollable events such as earthquakes, hurricanes, etc. (See IS-07, Contingency Plan Policy.)
The Security Officer (or designated representative) performs a quarterly technical and non-technical evaluation of the procedures in this document, or any time there are significant environmental or operational changes affecting the security of e-PHI. DU's policy is to review all facets of data security, integrity, reliability and system functionality during such quarterly review. (See IS-10.)
Business Associate Contracts and Other Arrangements
DU shall have Business Associate Agreements which contain the required Omnibus Rule provisions with its Business Associates who create, receive, maintain or transmit e-PHI on our behalf. If any Workforce Member needs to send or receive e-PHI, he or she should confirm that there is a Business Associate Agreement which meets the HIPAA HITECH Omnibus Security Rule in place with that recipient/sender if one is so required. This supplements the obligations to enter Business Associate Agreements under the HIPAA Privacy Rule (see IM-03), HITECH and Omnibus Rule provisions. (See IS-06, Security and Business Associate Agreements.) (See also Policy IM-26 relating to when DU is acting as a Business Associate.)
Back to Top
V. Physical Safeguards
DU has implemented physical safeguard-related policies and procedures to prevent, detect, contain and correct security Violations. These policies and procedures are described in the following sections.
- Facility Access Controls
The Security Officer (or designated representative) works with the Facilities Department to secure DU facilities and access to e-PHI. Computers are kept in secure locations in buildings secure from unauthorized access. This is done through building and/or suite key lock security and in some instances with unique magnetic swipe ID card systems to identify who is in the building.
Access to e-PHI is limited. All users are assigned a unique user ID. Employees are not to share their user ID with anyone, at any time. This includes not using anyone's ID to access the premises, their swipe cards to show entry onto the premises for timecards, passwords, logins and the like.
Additionally, in conjunction with the Facilities Department, the Security Officer plans for emergency access to DU facilities to safeguard e-PHI, and modifications needed to facilities to safeguard e-PHI. (See IS-11, Workstation Security.)
- Workstation Use
Workstations ("electronic computing devices") are to be used exclusively for DU operations. Consult the Acceptable Use and E-mail Policies in the Human Resources Policy Manual for additional information. In addition, DU has implemented security rights and policies within the computer infrastructure to protect against malicious attempts on the system. (See IS-11.)
- Workstation Security
Workstation access to e-PHI is restricted to authorized users only. Only those personnel who require access to those systems are authorized to use them. In addition, all monitors should be positioned so that they are turned away from unauthorized users, including patients. All Workstations are located in secure areas. If you have access to a Workstation, you should use a password protected screen saver that is activated when your station becomes idle or if you leave your station unattended. The lock-out procedures implemented on each Workstation are based on risk assessment and individual job duties. (See IS-11.)
- Device and Media Controls
The Security Officer (or designated representative) monitors the movement, receipt and removal of all hardware and Electronic Media which contain e-PHI on an as-needed basis. The Security Officer also provides guidance for the final disposition of any such hardware or electronic media, and erases disks and other media as needed upon requests for disposal or in preparation for re-use. Records are maintained by the department administrator for the movements of hardware and Electronic Media containing e-PHI and any person responsible therefore. In addition, the Security Officer (or designated representative) upon request will create a retrievable, exact copy of e-PHI, when needed, before movement of equipment. (See IS-12, Device and Media Controls.)
Back to Top
VI. Technical Safeguards
DU has implemented technical safeguard-related policies and procedures in the following areas to prevent, detect, contain and correct security Violations, as described in the following sections.
- Access Control
Each employee is assigned a unique name and/or number for identifying and tracking user identities. You must keep your user ID secure and you must not share it with anyone. Each employee shall have his or her own user ID. User IDs shall be unique to the individual, not to the job function. (See IS-13, Access Controls and Authentication.)
Based on a risk assessment and individual job duties system will automatically log users off the system and require a new login.
- Audit Controls
DU has implemented procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. These mechanisms include failed log-in reports and account activity reports. (See IS-14, Audit Controls.)
DU has implemented procedures to protect e-PHI from improper alteration or destruction, to corroborate that e-PHI has not been altered or destroyed in an unauthorized manner, and to verify that a person or entity seeking access to e-PHI is the one claimed. (See IS-16, Integrity.)
- Person or Entity Authentication
DU has installed measures to verify that anyone trying to access e-PHI is the person that he/she claims to be. DU uses a combination of operational practices and technological solutions to validate or corroborate that a person attempting access to e-PHI in DU's possession is the one claimed to be. Each Workforce Member is assigned a unique user identification name or number that validates and authenticates that person. DU expects Workforce Members to keep user identification information and passwords confidential. (See IS-13, Access Controls and Authentication; IM-18, Password and System Confidentiality.)
- Transmission Security
DU has installed and made available software to ensure that transmissions of e-PHI are secure. Contact DU-IT for access and instructions on the use of that software. You must not transmit e-PHI (via e-mail or otherwise) unless you are directed to do so by your supervisor. (See IS-15, Electronic Transmission of PHI.)
Back to Top