uh hipaa policy - hawaii.edu€¦ · uh hipaa policy objectives Øestablish university system-wide...
Post on 27-Sep-2020
1 Views
Preview:
TRANSCRIPT
UH HIPAA Policy
J.T.AshUniversityofHawaiiSystemHIPAAComplianceOfficer
jtash@hawaii.eduhipaa@hawaii.edu
AgendaØHIPAAisa“TEAMSPORT”andeveryonehasaroleinprotectingprotectedhealthinformation(PHI).
ØPurposeoftheUHHIPAAPolicy
ØObjectivesoftheUHHIPAAPolicy
ØGeneralRequirementsandpractices
ØRolesandresponsibilities
ØPoliciesandprocedures
UH HIPAA Policy PurposeØEnsurethattheUniversityofHawai‘i(the“University”)complieswiththeHealthInsurancePortabilityandAccountabilityActof1996,asamendedbytheAmericanRecoveryandReinvestmentActof2009(“ARRA”),whichincludedtheHealthInformationTechnologyforEconomicandClinicalHealthAct(“HITECH”)thatexpandedthescopeofprivacyandsecurityprotections,andbytheimplementingregulationsat45CodeofFederalRegulations(“CFR”)Parts160,162and164,asamended(collectivelyreferredtoas“HIPAA”).
UH HIPAA Policy ObjectivesØEstablishUniversitySystem-widepoliciesandproceduresto:
Ø DesignatetheUniversityasaHybridEntityØ EstablishfundamentalprinciplesgoverningtheUniversity’smanagementanduseof
ProtectedHealthInformation(“PHI”)Ø Establishasetofstandardizedtermsanddefinitionstopromoteconsistentinterpretation
andimplementationoftheUniversity’sHIPAAPolicy.Ø EstablishclearlinesofauthorityandaccountabilityrelatedtoPHI.Ø SetforthbestpracticesforHIPAAcompliancewiththeongoingobjectivesof:
Ø IdentifyingUniversityunitsandsubunits(andtheiractivities)thataresubjecttoHIPAAØ ManagingandmitigatinginformationprivacyandsecurityrisksrelatedtoPHI.
General requirements and practices
ØDONOTsharePHIwiththenon-coveredUnitsoftheUniversity(SeeBelow)
ØComplywithHIPAAandthisHIPAAPolicy
ØPerformariskassessment
ØDesignateaUnitHIPAACoordinator
ØCompleteHIPAAtraining
➢MaintainaBAAwithanotherinternalUniversityUnitoranentityoutsidetheUniversitytosharePHIoraLimitedDataSet.
➢MaintainaDataUseAgreementandBAAthatreceivestheLimitedDataSet,andsuchusehasbeenapprovedbytheUniversity’sInstitutionalReviewBoard(“IRB”).
➢PostsaNoticeofPrivacyPracticesasrequiredbyHIPAA
Roles and responsibilities – Office of the Vice President for Information Technology
and Chief Information Officer (OVPIT)ØDesignatestafftoserveastheUniversitySystemHIPAAPrivacyandSecurityOfficer(s)
Roles and responsibilities – UH System HIPAA Privacy and Security Officer
ØRelatingtotheHIPAAPrivacyRule:
ØMaintainongoingcommunicationwithallUnitHIPAACoordinators;
ØCoordinatetrainingprogramsforthedesignatedUHCoveredComponents(employees,studentsandvolunteers)incooperationwiththeUnitHIPAACoordinators
ØMaintainongoingcommunicationswiththeIRBregardingresearchuseofPHIandLimitedDataSets
ØRespondtocomplaintsregardingUniversitypolicies,proceduresandpracticesrelatedtotheprivacyofhealthinformation
ØRespond,orrefer,totheappropriateUHCoveredComponent,requestsbyindividualsforaccessandamendment,anaccountingofdisclosures,orrequestedrestrictionstotheuseanddisclosureofPHI.
ØApproveandexecuteallBAAs,DataUseAgreements,andDataSharingAgreements.
Roles and responsibilities – UH System HIPAA Privacy and Security Officer
ØRelatingtotheHIPAASecurityRule:
ØMaintainongoingcommunicationwiththeUnitHIPAACoordinators;
ØGuideandassistwiththedevelopmentandimplementationofongoingsecurityawarenessandtrainingprogramsfortheemployees,students,andvolunteersofeachUHCoveredComponent
ØMonitortheuseofsecuritymeasurestoprotectPHI
ØAssistinrevisingthisHIPAAPolicyandanyUniversitypolicyorprocedurerelatedtotheprivacyandsecurityofPHI,asrequiredtocomplywithchangesinanyapplicablelaw,aswellasdocumentinganychangetoanypolicyorprocedurerelatedtotheprivacyandsecurityofPHI.
Roles and responsibilities – Unit HIPAA Coordinators
ØMaintainongoingcommunicationwiththeUHSystemHIPAAPrivacyandSecurityOfficer(s)
ØDevelopandmaintainproceduresconsistentwiththisHIPAAPolicyforprotectionofPHIandePHIintheUniversityUnit,whichisconsideredaUHCoveredComponent
ØMaintainandupdate,asneeded,proceduresconsistentwiththepolicyforprotectionofPHIandePHIintheUniversityUnit
ØInformemployees,volunteers,students,andasneeded,consultantsandothers,aboutthisHIPAAPolicyandallUniversitypoliciesandproceduresrelatingtoHIPAAthroughvariousmethodsincludingbutnotlimitedtostaffmeetings,inpersonmeetings,seminars,orientationmeetingsandphoneorwebbasedmeetings
ØMonitortheprocessofidentifyingandtrainingnewemployees,volunteersandstudentswithintheUniversityUnitwhorequireaccesstoPHI
ØMonitorcompliancewiththepoliciesandproceduresoftheUniversityUnitrelatingtoHIPAA
Roles and responsibilities – Unit HIPAA Coordinators
ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallviolationsthatresultinanimpermissibleuseordisclosureofPHIand/orePHI;
ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallprivacyviolationsunderHIPAA;
ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallsecurityviolationsunderHIPAA;
ØEnsurecontinuedcompliancewithHIPAA,thisHIPAAPolicy,andallUniversitypoliciesandproceduresrelatingtoHIPAA;and
ØReviewallBAAs,DataUseandDataSharingAgreementspriortoexecutionbytheProjectPrincipalInvestigatororProgramLead.
Policies and proceduresØGeneralRequirementsandPractices:➢ SharingPHI➢ RiskAssessment➢ DesignateaCoordinator➢ HIPAATraining➢ BAAManagement(Internal&External)
Policies and procedures – HIPAA Privacy
ØRelatingtotheHIPAAPrivacyRule:Ø DisclosureonlywithconsentØ DisclosurerequiredtoindividualandDHHSØ DisclosuretoUHCoveredComponentØ DisclosuretoBusinessAssociateØ DisclosurepursuanttovalidauthorizationØ DisclosureformarketingpurposesØ DisclosureofpsychotherapynotesØ DisclosurerelatingtominorsØ DisclosurerequiringadvancenoticeandopportunitytoagreeorobjectØ DisclosurewhenauthorizationoropportunitytoagreeorobjectnotrequiredØ DisclosuretodetermineidentityorcauseofdeathØ Disclosureforresearchpurposes
Policies and procedures – HIPAA Privacy (continued)
Ø Disclosuretoprevent/lessenimminentthreatofharmØ DisclosureforworkerscompensationpurposesØ Disclosureofde-identifieddataØ DisclosureofLimitedDataSetØ DisclosureconsentrequirespriornoticeofprivacypracticesØ DisclosurebyUnitwhichisafederallyassisteddrugabuseprogramorafederallyassisted
alcoholabuseprogramØ RightstorequestprivacyprotectionforPHIØ AccessofindividualstoPHIØ AmendmentofPHIØ AccountingofdisclosuresofPHIØ AdministrativerequirementsØ OrganizationalOptions(CoveredEntitiesmustdesignateinwritingitsoperationsthat
performcoveredfunctionsasoneormore“healthcarecomponents).
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø SecurityManagementProcess § 164.308(a)(1)
Ø RiskAnalysis(R)Ø RiskManagement(R)Ø SanctionPolicy(R)Ø InformationSystemActivityReview(R)
Ø AssignedSecurityResponsibility § 164.308(a)(2)Ø WorkforceSecurity § 164.308(a)(3)
Ø Authorizationand/orSupervision(A)Ø WorkforceClearanceProcedure(A)Ø TerminationProcedures(A)
Ø InformationAccessManagement § 164.308(a)(4)Ø IsolatingHealthCareClearinghouseFunctions(R)Ø AccessAuthorization(A)Ø AccessEstablishmentandModification(A)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø SecurityAwarenessandTraining § 164.308(a)(5)
Ø SecurityReminders(A)Ø ProtectionfromMaliciousSoftware(A)Ø Log-inMonitoring(A)Ø PasswordManagement(A)
Ø SecurityIncidentProcedures § 164.308(a)(6)Ø ResponseandReporting(R)
Ø ContingencyPlan § 164.308(a)(7)Ø DataBackupPlan(R)Ø DisasterRecoveryPlan(R)Ø EmergencyModeOperationPlan(R)Ø TestingandRevisionProcedures(A)Ø ApplicationsandDataCriticalityAnalysis(A)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø Evaluation § 164.308(a)(8)Ø BusinessAssociateContractsand § 164.308(b)(1)
Ø WrittenContractorOtherArrangement(R)Ø OtherArrangements
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Physicalsafeguards)Ø FacilityAccessControls § 164.310(a)(1)
Ø ContingencyOperations(A)Ø FacilitySecurityPlan(A)Ø AccessControlandValidationProcedures(A)Ø MaintenanceRecords(A)
Ø WorkstationUse § 164.310(b)Ø WorkstationSecurity § 164.310(c)Ø DeviceandMediaControls § 164.310(d)(1)
Ø Disposal(R)Ø MediaRe-use(R)Ø Accountability(A)Ø DataBackupandStorage(A)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Technicalsafeguards)Ø AccessControl § 164.312(a)(1)
Ø UniqueUserIdentification(R)Ø EmergencyAccessProcedure(R)Ø AutomaticLogoff(A)Ø EncryptionandDecryption(A)
Ø AuditControl § 164.312(b)Ø Integrity § 164.312(c)(1)
Ø MechanismtoAuthenticateElectronicProtectedHealthInformation(A)Ø PersonorEntityAuthentication § 164.312(d)Ø TransmissionSecurity § 164.312(e)(1)
Ø Encryption(A)Ø IntegrityControls(A)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (BreachofUnsecuredPHI)Ø NotificationintheCaseofBreachofUnsecuredPHIØ NotificationtoIndividualsØ NotificationtoothersØ NotificationtotheDHHSSecretaryØ NotificationbyaBusinessAssociateØ NotificationtoandcoordinationwithUHSystemHIPAAPrivacyandSecurityOfficer(s)
J.T.AshUHSystemHIPAAComplianceOfficerjtash@hawaii.edu •(808)956-7241
top related