Electronic Transmission Security of PHI
Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Electronic Transmission Security of PHI
Policy Number: IS-15 (Technical Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Policy and Privacy Services Officer
Table of Contents
Applicability
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
I. Purpose
To describe the precautions Drexel University (DU) has implemented to protect electronic protected health information (e-PHI) while in transit.
II. Policy
DU maintains a comprehensive internal security control program coordinated by DU Information Technology (IT) to guard against unauthorized access to e-PHI. Workforce Members are not permitted to transmit e-PHI via email or otherwise unless directed to do so by a supervisor. Proper Encryption processes will be used when job duties assigned require transmitting such data.
III. Procedure
- Closed Enterprise Network Controls
All communications access to DU from an open network, such as the Internet, and untrusted third-party networks, must be provisioned with strong authentication. Communication protocols that are used when transmitting to and from DU include integrity and authenticity of the information.
DU's network has anti-virus scanning software, which is updated as such updates become available. Daily anti-virus scans are performed.
In order to limit the security hazards of installing software, only System Administrators will have administrator access to systems.
- Network Perimeter Controls
All access points to untrusted networks use some type of security mechanism which could include, but are not limited to, firewalls, network address translation devices, gateways and proxies.
- Encryption Controls
Encryption and decryption use allows for information to be scrambled so that if it were intercepted it would not be easily understood. Under certain circumstances, DU makes encryption or decryption available upon request.
IV. References
45 CFR § 164.312(e)(1), (2)
Cross References: IT-7, Email Policy
Back to Top