Regulation on Security of Electronic Individually Identifiable Health Care Information under HIPAA

I. Introduction

A. This Regulation addresses The University of North Carolina at Charlotte’s obligations to comply with the security regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which require the University, its health care components, related departments and any employees, agents, business associates or assigns thereof , to protect the confidentiality, integrity and availability of individually identifiable health information created, received, transmitted or maintained, by or in electronic media form (specifically "electronic protected health information" or "ePHI"). It also defines the University as a Hybrid Entity and designates its Covered Health Care Components.

B. This Regulation supplements the University’s existing information technology (IT) security policies, including, but not limited to University Policies 303, 304, 307, and 311, and any applicable security provisions contained in student, staff or faculty manuals. This Regulation is intended to apply to ePHI only.

II. Definitions

A. Business Associate: The definition of Business Associate is set forth in University Policy 605.2, Privacy and Confidentiality of Individually Identifiable Health Care Information under HIPAA.

B. Covered Health Care Components: The definition of Covered Health Care Components is set forth in University Policy 605.2, Privacy and Confidentiality of Individually Identifiable Health Care Information under HIPAA.

C. Electronic Media: Electronic Media means:

• Electronic storage media, including but not limited to computer memory devices (i.e. hard drives), and removable or transportable digital memory medium (i.e. disk, memory card, tape);
• Transmission media used to exchange ePHI already in electronic storage media, which includes, but is not limited to, the Internet, extranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.
• Other ePHI transmissions, including transmissions by facsimile and by land-based or cellular telephone, to the extent any ePHI transmitted via these means originates or is received as data in electronic storage media.

D. Electronic Protected Health Information (“ePHI”): PHI that is created, received, transmitted or maintained by Electronic Media as data.

E. Hybrid Entity: A single legal entity (1) that is a covered entity, (2) whose business concerns include both covered and non-covered functions, and (3) that designates and documents the designation as underlying health components:

• any subdivision of the Hybrid Entity that would be considered a covered entity if it was a separate legal entity;
• any subdivision to the extent that it performs covered functions; or
• any subdivision that would be considered a Business Associate of a component if the two were separate legal entities.

F. Implementation Specification: Approved and documented method, either required or addressable, by which a policy standard is to be executed, and which serves as a reasonable and appropriate safeguard to protect against a reasonably foreseeable threat or hazard to the maintenance or transmission of ePHI.

III. Regulation

A. The protection of the confidentiality, integrity and availability of ePHI, as required by HIPAA, necessitates the implementation of particular safeguards for ePHI created, received, maintained or transmitted by and through electronic media.

B. As an entity containing subdivisions and components that act as health care providers that create, receive, maintain and transmit ePHI, the University is considered a Hybrid Entity and, as such, subject to the security provisions in HIPAA.

C. The University is obligated under federal and state law to:

1. Implement security measures to ensure the confidentiality, integrity and availability of all ePHI that the University creates, receives, maintains and/or transmits;
2. Protect against any reasonably anticipated threats or hazards to ePHI;
3. Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted under this or other University policies or state and federal law.

D. Each Covered Health Component (hereinafter “Component”) of the University, which creates, maintains, receives or transmits ePHI, will comply with the general University policies governing the security of ePHI, which are required under HIPAA. These Components and subdivisions may be delegated the authority to establish policies and procedures governing the security of ePHI, according to each one’s resources and volume of ePHI each such Component or subdivision creates, receives, maintains or transmits. Any such policies or procedures must receive prior approval by the University’s HIPAA Security Officer.

E. All implementation specifications approved by the University in connection with this Regulation are applicable to the Components, all functional units supporting the Components and/or business associates, all employees, agents, assigns, faculty, contractors and guests who have or are given access to ePHI at the risk of University sanctions and civil and/or criminal penalties. Violation of any such implementation specifications may result in applicable disciplinary measures and/or civil and/or criminal penalties.

IV. Administrative Safeguards

A. Security Responsibility:

The University, as the Hybrid Entity responsible for compliance by itself and its Components with this Regulation and the underlying HIPAA statute, is fully and solely responsible for the implementation and oversight of the Policies and Procedures set forth herein. The Chief Information Security Officer (CISO) or designee shall act as the University’s HIPAA Security Officer. The University’s HIPAA Security Officer (hereinafter “Security Officer”) is hereby authorized to act as the agent of the University and is empowered to make or approve all decisions and implementations relating to the oversight of this Regulation and any successor policies. The Security Officer will have the final authority on all matters of security associated with the protection of ePHI. The Security Officer will designate individuals within the Components, as Information Security Officers (ISOs), who will act to ensure compliance with this Regulation and related University, State and Federal statutes involving the security and privacy of PHI in general and ePHI in particular within their Component. In general, the head of the Component or unit generating the ePHI will be that department’s/unit’s ISO, unless otherwise specified by the Security Officer.

Any policies or procedures that the ISOs seek to implement for their Components or Units, must be approved by the HIPAA Security Officer. All Business Associates will be required to designate a security overseer pursuant to the University’s Business Associate Agreement.

B. Security Management Process:

The University and its Components will thoroughly assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI (Risk Analysis) and implement security measures to reasonably reduce such risks and vulnerabilities to an appropriate level (Risk Management). Each ISO will conduct regular reviews of records of information system activity, such as audits and security incident tracking reports, no less than every six months.

C. Workforce Security:

Access to ePHI at appropriate locations will be granted on a “need-to-know” basis only, through storage of ePHI at a central source, accessible only at certain workstations and with protected access information, which shall be kept confidential by the authorized individuals. Access to ePHI by any individual may be terminated at any time, as deemed necessary by the Security Officer, ISOs, or supervisors.

D. Information Access Management:

All Components and units shall implement appropriate methods to segregate and protect access to ePHI from the general University, by maintaining ePHI on servers and/or drives separate from the network and made accessible only to authorized individuals at appropriately authorized locations and through appropriately authorized methods, such as approved and individualized passwords. All policies and procedures relating to information access shall be documented, reviewed and, where appropriate, modified by the Security Officer at regular intervals no less than annually.

E. Security Awareness and Training:

All employees, faculty and staff of the University and its Components, who are authorized access to ePHI and may create, receive, maintain and/or transmit ePHI, shall undergo periodic training and awareness programs through the Information Technology Security (hereinafter “ITS”) Department, which may include security updates, procedures for detecting, avoiding and reporting malicious software programs, log-in monitoring, use and modification of passwords and reporting discrepancies in security procedures.

F. Security Incident Procedures:

The University and its Components shall maintain procedures for identifying and responding to known or suspected security incidents, which include procedures for reporting and documenting incidents. All individuals authorized access to ePHI shall be trained on such procedures and receive periodic updates and review training on procedures.

G. Contingency Plan:

Control procedures must ensure that the University can recover from any damage or infiltration to computer equipment or files within a reasonable period of time. Each Component or unit is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI. This will include developing policies and procedures including the following plans:

• Data Backup Plan: A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information, to be stored in an off-site location.
• Disaster Recovery Plan: A disaster recovery plan must be developed and documented which contains a process enabling the Component to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. Each Component shall develop and document procedures requiring periodic testing of written contingency plans.

H. Evaluation:

The University requires that periodic technical and non-technical evaluations be performed by the Security Officer and/or the ISOs, in cooperation with the ITS Department, in response to environmental or operational changes affecting the security of ePHI to ensure its continued protection. The evaluations will be conducted at least annually.

V. Physical Safeguards

A. Facility Access Controls:

Each Component shall document and implement facility access controls to limit physical access to electronic information systems containing ePHI and the facilities in which they are housed, while ensuring that properly authorized access is allowed and all such procedures must be fully documented. Component policies and procedures must be developed to address the following access control requirements:

1. Contingency Operations: In support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency (as per the University’s Business Continuity Plan for each covered entity).
2. Facility Security Plan: To safeguard the facility and the equipment from unauthorized physical access, tampering, and theft.
3. Access Control and Validation: To control and validate a person’s access to facilities based on their position or need to know, including visitor control, and control of access to software programs for testing and revision.
4. Maintenance Records: To document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks). Anyone potentially accessing ePHI due to the maintenance or repair of hardware of software systems must sign a confidentiality agreement at the time of employment, which must be renewed periodically. For Business Associates, confidentiality statements must be signed at the time of Business Associate Agreements and any renewal(s) thereof.

B. Workstation Use:

Access to workstations where ePHI is accessible will be granted on a need to know basis only, requiring approval by an immediate supervisor with the assistance of the ISO. Workstations and personal computers where ePHI is available will be secured against unauthorized individuals by use of secured locations, confidential identifications (i.e., passwords), automatic shutdowns and encryption. Laptop computers and transportable storage devices shall not be used to store or transport ePHI.

C. Workstation Security:

Unique user identification (user ID) and authentication is required for all systems that maintain or access ePHI. Users will be held accountable for all actions performed on this system with their user ID.

1. At least one of the following authentication methods must be implemented (a) strictly controlled passwords with two-factor authentication, (b) biometric identification, and/or, (c) tokens in conjunction with a PIN.
2. The user must secure their authentication control (e.g. password, token) such that it is known only to that user and possibly a designated security manager.
3. An automatic timeout re-authentication must be required after a certain period of no activity (maximum 15 minutes).
4. The user must log off or secure the system when leaving it.

D. Device and Media Controls:

Each Component must develop and implement policies and procedures (as approved by the Security Officer) that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of the items within the facility, including information disposal/media re-use of hard copy (paper and microfilm/fiche), magnetic media (floppy disks, hard drives, zip disks, etc), and CD ROM disks. Each Component must document the movement of hardware and electronic media and any person responsible for the equipment and create data backup and storage and the method for destroying electronic records, following a completed transfer.

E. Other Transmission Controls:

At all times, except in cases of emergency, ePHI will be transmitted in hard-copy printed form, via hand delivery or postal delivery (either private or government-based). In cases of emergencies only, ePHI may be transmitted by facsimile, from land-line facsimile machines only. At no time shall ePHI be transmitted via email or other transmission methods available through the Internet or Extranet.

VI. Technical Safeguards

A. Access controls:

Physical and electronic access to ePHI is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures (as described in Section V, above) will be instituted as recommended by the ISOs and ITS Department and approved by the Security Officer,.

B. Audit controls:

Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI will be implemented by ISOs, with the approval of the Security Officer. Regular review of records of information system activity, such as audit logs, access reports, and security incident tracking reports, will be performed by the ISOs in cooperation with the ITS Department. These reviews must be documented and maintained for six (6) years. All breaches or attempted breaches of ePHI must be reported to the Security Officer immediately upon discovery. A report detailing the breach or attempted breach must include location, time, date, whether or not a breach occurred, what data was violated, the extent of the violation, and what measures are needed to remedy to situation.

C. Integrity:

Mechanisms to authenticate ePHI and corroborate that the information has not been altered or destroyed will be implemented where appropriate by the ITS Department on the recommendation of the Security Officer or ISOs.

D. Entity Authentication:

User identification will be required at all accessible workstations by use of passwords and/or identification numbers.

E. Transmission Security:

Mechanisms to allow encryption of ePHI will be implemented where appropriate by the ITS Department on the recommendation of the Security Officer or ISOs.

VII. Business Associate Contracts

A. The University or one of its Components may enter a contract with an outside entity to perform or facilitate activities involving the creation, receipt, transmission or maintenance of ePHI, only if the Business Associate provides satisfactory assurances via an approved Business Associate contract that it will appropriately safeguard all University ePHI to which the Business Associate, its employees, agents, contractors and assigns receive access, and if an individual to act as a security overseer within the business associate is identified

B. The standard set forth in Section VII.A will not apply to:

1. transmission of ePHI to another health care provider relating to the treatment of an individual; or
2. transmission of ePHI to a group health plan sponsor or insurance issuer, to the extent the sponsor or issuer has provided adequate assurances that it is in compliance with the HIPAA security regulations.

C. The University or its Components shall terminate any contract, involving ePHI access and use, with a Business Associate, when it is learned actions of the Business Associate constituted a material breach or violation under the contract, and failed to take reasonable steps to cure the breach or end the violation upon request of the University or its Component. If termination of the contract is not feasible and if the breach or violation cannot be cured or ended, the Security Officer will report the problem to the Secretary.

D. The Business Associate contracts in use by the University and its Components and its Business Associates will require the implementation by the Business Associate and its employees, agents, contractors and assigns, of reasonable and adequate administrative, physical and technological safeguards to appropriately protect the confidentiality, integrity and availability of University’s ePHI created, maintained, received or transmitted by the business associate. The contracts will require that the Business Associate report a security incident to the Component or the Security Officer within ten (10) calendar days of becoming aware of such incident. The contracts will contain a provision authorizing immediate termination upon the University’s determination that the contract has been materially breached or otherwise violated. They will further comply to the extent reasonable and appropriate with the remaining requirements set forth in 45 CFR Sec. 164.314 (a)(2).

VIII. Documentation

A. All policies and procedures enacted by the University in accordance with the HIPAA Security Rule and in conjunction with this Regulation, and all activities, actions and assessments required to be documented shall be maintained in written form. The documentation may be in electronic form.

B. All documentation required under this Section IX shall be made available to those persons responsible for implementing the pertinent procedures.

C. All documentation required under this Section IX shall be maintained a minimum of six (6) years from the date of its creation or whenever it was last in effect.

D. The University and its Components may change its policies and procedures at any time, as long as such policies and procedures are

1. in compliance with the HIPAA Security Rule and this Regulation,
2. approved by the Security Officer, and
3. maintained in documented form in accordance with this provision.

E. All documentation will be subject to periodic reviews and updates, as necessitated by environmental or operational changes effecting ePHI.

IX. Sanctions

A. Breaches of privacy or security of PHI or ePHI are to be reported immediately to the Security Officer.

B. Components must mitigate, to the extent practicable, any known harmful effects of the use or disclosure of PHI or ePHI in violation of this Regulation or the requirements of HIPAA.

C. Any University employee, agent, assign or contractor who is in violation of this Regulation is subject to disciplinary action up to and including discharge in accordance with applicable University policies and procedures. Individuals may also be subject to civil and criminal penalties under HIPAA.