uh hipaa policy - hawaii.edu€¦ · uh hipaa policy objectives Øestablish university system-wide...
TRANSCRIPT
![Page 2: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/2.jpg)
AgendaØHIPAAisa“TEAMSPORT”andeveryonehasaroleinprotectingprotectedhealthinformation(PHI).
ØPurposeoftheUHHIPAAPolicy
ØObjectivesoftheUHHIPAAPolicy
ØGeneralRequirementsandpractices
ØRolesandresponsibilities
ØPoliciesandprocedures
![Page 3: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/3.jpg)
UH HIPAA Policy PurposeØEnsurethattheUniversityofHawai‘i(the“University”)complieswiththeHealthInsurancePortabilityandAccountabilityActof1996,asamendedbytheAmericanRecoveryandReinvestmentActof2009(“ARRA”),whichincludedtheHealthInformationTechnologyforEconomicandClinicalHealthAct(“HITECH”)thatexpandedthescopeofprivacyandsecurityprotections,andbytheimplementingregulationsat45CodeofFederalRegulations(“CFR”)Parts160,162and164,asamended(collectivelyreferredtoas“HIPAA”).
![Page 4: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/4.jpg)
UH HIPAA Policy ObjectivesØEstablishUniversitySystem-widepoliciesandproceduresto:
Ø DesignatetheUniversityasaHybridEntityØ EstablishfundamentalprinciplesgoverningtheUniversity’smanagementanduseof
ProtectedHealthInformation(“PHI”)Ø Establishasetofstandardizedtermsanddefinitionstopromoteconsistentinterpretation
andimplementationoftheUniversity’sHIPAAPolicy.Ø EstablishclearlinesofauthorityandaccountabilityrelatedtoPHI.Ø SetforthbestpracticesforHIPAAcompliancewiththeongoingobjectivesof:
Ø IdentifyingUniversityunitsandsubunits(andtheiractivities)thataresubjecttoHIPAAØ ManagingandmitigatinginformationprivacyandsecurityrisksrelatedtoPHI.
![Page 5: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/5.jpg)
General requirements and practices
ØDONOTsharePHIwiththenon-coveredUnitsoftheUniversity(SeeBelow)
ØComplywithHIPAAandthisHIPAAPolicy
ØPerformariskassessment
ØDesignateaUnitHIPAACoordinator
ØCompleteHIPAAtraining
➢MaintainaBAAwithanotherinternalUniversityUnitoranentityoutsidetheUniversitytosharePHIoraLimitedDataSet.
➢MaintainaDataUseAgreementandBAAthatreceivestheLimitedDataSet,andsuchusehasbeenapprovedbytheUniversity’sInstitutionalReviewBoard(“IRB”).
➢PostsaNoticeofPrivacyPracticesasrequiredbyHIPAA
![Page 6: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/6.jpg)
Roles and responsibilities – Office of the Vice President for Information Technology
and Chief Information Officer (OVPIT)ØDesignatestafftoserveastheUniversitySystemHIPAAPrivacyandSecurityOfficer(s)
![Page 7: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/7.jpg)
Roles and responsibilities – UH System HIPAA Privacy and Security Officer
ØRelatingtotheHIPAAPrivacyRule:
ØMaintainongoingcommunicationwithallUnitHIPAACoordinators;
ØCoordinatetrainingprogramsforthedesignatedUHCoveredComponents(employees,studentsandvolunteers)incooperationwiththeUnitHIPAACoordinators
ØMaintainongoingcommunicationswiththeIRBregardingresearchuseofPHIandLimitedDataSets
ØRespondtocomplaintsregardingUniversitypolicies,proceduresandpracticesrelatedtotheprivacyofhealthinformation
ØRespond,orrefer,totheappropriateUHCoveredComponent,requestsbyindividualsforaccessandamendment,anaccountingofdisclosures,orrequestedrestrictionstotheuseanddisclosureofPHI.
ØApproveandexecuteallBAAs,DataUseAgreements,andDataSharingAgreements.
![Page 8: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/8.jpg)
Roles and responsibilities – UH System HIPAA Privacy and Security Officer
ØRelatingtotheHIPAASecurityRule:
ØMaintainongoingcommunicationwiththeUnitHIPAACoordinators;
ØGuideandassistwiththedevelopmentandimplementationofongoingsecurityawarenessandtrainingprogramsfortheemployees,students,andvolunteersofeachUHCoveredComponent
ØMonitortheuseofsecuritymeasurestoprotectPHI
ØAssistinrevisingthisHIPAAPolicyandanyUniversitypolicyorprocedurerelatedtotheprivacyandsecurityofPHI,asrequiredtocomplywithchangesinanyapplicablelaw,aswellasdocumentinganychangetoanypolicyorprocedurerelatedtotheprivacyandsecurityofPHI.
![Page 9: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/9.jpg)
Roles and responsibilities – Unit HIPAA Coordinators
ØMaintainongoingcommunicationwiththeUHSystemHIPAAPrivacyandSecurityOfficer(s)
ØDevelopandmaintainproceduresconsistentwiththisHIPAAPolicyforprotectionofPHIandePHIintheUniversityUnit,whichisconsideredaUHCoveredComponent
ØMaintainandupdate,asneeded,proceduresconsistentwiththepolicyforprotectionofPHIandePHIintheUniversityUnit
ØInformemployees,volunteers,students,andasneeded,consultantsandothers,aboutthisHIPAAPolicyandallUniversitypoliciesandproceduresrelatingtoHIPAAthroughvariousmethodsincludingbutnotlimitedtostaffmeetings,inpersonmeetings,seminars,orientationmeetingsandphoneorwebbasedmeetings
ØMonitortheprocessofidentifyingandtrainingnewemployees,volunteersandstudentswithintheUniversityUnitwhorequireaccesstoPHI
ØMonitorcompliancewiththepoliciesandproceduresoftheUniversityUnitrelatingtoHIPAA
![Page 10: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/10.jpg)
Roles and responsibilities – Unit HIPAA Coordinators
ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallviolationsthatresultinanimpermissibleuseordisclosureofPHIand/orePHI;
ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallprivacyviolationsunderHIPAA;
ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallsecurityviolationsunderHIPAA;
ØEnsurecontinuedcompliancewithHIPAA,thisHIPAAPolicy,andallUniversitypoliciesandproceduresrelatingtoHIPAA;and
ØReviewallBAAs,DataUseandDataSharingAgreementspriortoexecutionbytheProjectPrincipalInvestigatororProgramLead.
![Page 11: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/11.jpg)
Policies and proceduresØGeneralRequirementsandPractices:➢ SharingPHI➢ RiskAssessment➢ DesignateaCoordinator➢ HIPAATraining➢ BAAManagement(Internal&External)
![Page 12: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/12.jpg)
Policies and procedures – HIPAA Privacy
ØRelatingtotheHIPAAPrivacyRule:Ø DisclosureonlywithconsentØ DisclosurerequiredtoindividualandDHHSØ DisclosuretoUHCoveredComponentØ DisclosuretoBusinessAssociateØ DisclosurepursuanttovalidauthorizationØ DisclosureformarketingpurposesØ DisclosureofpsychotherapynotesØ DisclosurerelatingtominorsØ DisclosurerequiringadvancenoticeandopportunitytoagreeorobjectØ DisclosurewhenauthorizationoropportunitytoagreeorobjectnotrequiredØ DisclosuretodetermineidentityorcauseofdeathØ Disclosureforresearchpurposes
![Page 13: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/13.jpg)
Policies and procedures – HIPAA Privacy (continued)
Ø Disclosuretoprevent/lessenimminentthreatofharmØ DisclosureforworkerscompensationpurposesØ Disclosureofde-identifieddataØ DisclosureofLimitedDataSetØ DisclosureconsentrequirespriornoticeofprivacypracticesØ DisclosurebyUnitwhichisafederallyassisteddrugabuseprogramorafederallyassisted
alcoholabuseprogramØ RightstorequestprivacyprotectionforPHIØ AccessofindividualstoPHIØ AmendmentofPHIØ AccountingofdisclosuresofPHIØ AdministrativerequirementsØ OrganizationalOptions(CoveredEntitiesmustdesignateinwritingitsoperationsthat
performcoveredfunctionsasoneormore“healthcarecomponents).
![Page 14: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/14.jpg)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø SecurityManagementProcess § 164.308(a)(1)
Ø RiskAnalysis(R)Ø RiskManagement(R)Ø SanctionPolicy(R)Ø InformationSystemActivityReview(R)
Ø AssignedSecurityResponsibility § 164.308(a)(2)Ø WorkforceSecurity § 164.308(a)(3)
Ø Authorizationand/orSupervision(A)Ø WorkforceClearanceProcedure(A)Ø TerminationProcedures(A)
Ø InformationAccessManagement § 164.308(a)(4)Ø IsolatingHealthCareClearinghouseFunctions(R)Ø AccessAuthorization(A)Ø AccessEstablishmentandModification(A)
![Page 15: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/15.jpg)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø SecurityAwarenessandTraining § 164.308(a)(5)
Ø SecurityReminders(A)Ø ProtectionfromMaliciousSoftware(A)Ø Log-inMonitoring(A)Ø PasswordManagement(A)
Ø SecurityIncidentProcedures § 164.308(a)(6)Ø ResponseandReporting(R)
Ø ContingencyPlan § 164.308(a)(7)Ø DataBackupPlan(R)Ø DisasterRecoveryPlan(R)Ø EmergencyModeOperationPlan(R)Ø TestingandRevisionProcedures(A)Ø ApplicationsandDataCriticalityAnalysis(A)
![Page 16: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/16.jpg)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø Evaluation § 164.308(a)(8)Ø BusinessAssociateContractsand § 164.308(b)(1)
Ø WrittenContractorOtherArrangement(R)Ø OtherArrangements
![Page 17: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/17.jpg)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Physicalsafeguards)Ø FacilityAccessControls § 164.310(a)(1)
Ø ContingencyOperations(A)Ø FacilitySecurityPlan(A)Ø AccessControlandValidationProcedures(A)Ø MaintenanceRecords(A)
Ø WorkstationUse § 164.310(b)Ø WorkstationSecurity § 164.310(c)Ø DeviceandMediaControls § 164.310(d)(1)
Ø Disposal(R)Ø MediaRe-use(R)Ø Accountability(A)Ø DataBackupandStorage(A)
![Page 18: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/18.jpg)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (Technicalsafeguards)Ø AccessControl § 164.312(a)(1)
Ø UniqueUserIdentification(R)Ø EmergencyAccessProcedure(R)Ø AutomaticLogoff(A)Ø EncryptionandDecryption(A)
Ø AuditControl § 164.312(b)Ø Integrity § 164.312(c)(1)
Ø MechanismtoAuthenticateElectronicProtectedHealthInformation(A)Ø PersonorEntityAuthentication § 164.312(d)Ø TransmissionSecurity § 164.312(e)(1)
Ø Encryption(A)Ø IntegrityControls(A)
![Page 19: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/19.jpg)
Policies and procedures – HIPAA Security
ØRelatingtotheHIPAASecurityRule (BreachofUnsecuredPHI)Ø NotificationintheCaseofBreachofUnsecuredPHIØ NotificationtoIndividualsØ NotificationtoothersØ NotificationtotheDHHSSecretaryØ NotificationbyaBusinessAssociateØ NotificationtoandcoordinationwithUHSystemHIPAAPrivacyandSecurityOfficer(s)
![Page 20: UH HIPAA Policy - hawaii.edu€¦ · UH HIPAA Policy Objectives ØEstablish University System-wide policies and procedures to: ØDesignate the University as a Hybrid Entity ØEstablish](https://reader034.vdocuments.mx/reader034/viewer/2022052000/601215a7070ac326d327c878/html5/thumbnails/20.jpg)
[email protected] •(808)956-7241