DRAFT - UCSC HIPAA Security Rule Compliance Policy
DRAFT REVISION FOR REVIEW - NOVEMBER 2013
Policy #: IT0001
Effective Date: 12/20/06
Last Revision Date: <<MMDD, 2013>>
UCSC HIPAA Security Rule Compliance Policy
| I-Purpose/Scope | II-Background | III-Definitions | IV-Detailed Policy Statement | V-Getting Help | VI-Applicability and Authority | VII-References | VIII-Attachments |
UC Santa Cruz is subject to the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule [1], which identifies legal requirements for the protection of electronic health information for health care providers and related entities. The purpose of this policy is to establish the requirement that all UCSC entities subject to the HIPAA Security Rule must implement an identified set of practices consistent with the UC HIPAA Information Security Policy.
In the event that this policy and the University of California's HIPAA Policies [1] do not agree, the University of California's HIPAA Policies are controlling.
The HIPAA Security Rule, adopted in 2003, establishes safeguards to ensure the confidentiality of electronic protected health information (ePHI) as well as the appropriate access and use of this information.
UCSC's HIPAA Security Official, in consultation with the UCSC IT Security Committee, empowered the UCSC HIPAA Security Compliance Team to develop a common set of practices (the UCSC Practices for HIPAA Security Rule Compliance [2]) which, when fully implemented, would fulfill and demonstrate compliance with the HIPAA Security Rule. This group includes representatives from all campus units subject to the HIPAA Security Rule, Internal Audit, and ITS Security and management.
UCSC's HIPAA Security Official also recognized this group as the appropriate body to review and update these Practices annually, or more frequently in response to environmental or operational changes that affect the security of ePHI, as well as to determine whether each UCSC HIPAA entity has fully and appropriately implemented them.
The University of California's HIPAA Glossary [3] defines the following terms:
- Electronic Protected Health Information, or ePHI
- Implementation Specifications
- Addressable
- Required
All UCSC entities subject to HIPAA Security Rule requirements must implement the UCSC Practices for HIPAA Security Rule Compliance [2] or, for addressable implementation specifications, identify compensating controls where it is not practical or possible to fully address the Practices as stated. Implementation of these Practices must be documented utilizing the UCSC HIPAA Security Rule Compliance Workbook [4], and must be reviewed and updated at least annually.
For help with... |
Contact... |
... questions about this policy, including attachments |
ITS Service Manager for Policy and Compliance: itpolicy@ucsc.edu, (831) 459-2779 |
... technical questions about implementing the UCSC Practices for HIPAA Security Rule Compliance |
The ITS Support Center: itrequest.ucsc.edu, help@ucsc.edu, or 459-HELP ITS Divisional Liaisons and local computer support: |
VI. APPLICABILITY AND AUTHORITY
This policy applies to all UCSC entities subject to HIPAA Security Rule requirements. The University of California HIPAA Administrative Requirements Policy [5] defines which UC entities and workforce members are subject to the HIPAA regulations and UC's systemwide HIPAA policies. At UCSC, entities to which the HIPAA Security Rule applies are determined through discussion with University Counsel and Internal Audit [6].
UCSC's HIPAA Security Official, on behalf of the Office of the Chancellor, is the campus authority for the HIPAA Security Rule Compliance Policy. This policy was originally reviewed and approved by the Campus Provost/Executive Vice Chancellor on 12/20/2006. It will be reviewed every three years, or more frequently in response to significant changes in the law, policy, environment or operations.
Federal
- The HIPAA Security Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
- US Department of Health and Human Services HIPAA Security Rule Guidance Materials: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
University of California
- UC HIPAA Policies: http://policy.ucop.edu/ (search for HIPAA)
- UC HIPAA Website: http://www.ucop.edu/ethics-compliance-audit-services/compliance/hipaa/
UC Santa Cruz
- UCSC HIPAA Security Rule Website: http://its.ucsc.edu/policies/hipaa.html
VIII. ATTACHMENTS - All available online at http://its.ucsc.edu/policies/hipaa.html
Attachment 1: UCSC Practices for HIPAA Security Rule Compliance
Attachment 2: UCSC HIPAA Security Rule Compliance Workbook
Attachment 3: Current list of UCSC entities subject to HIPAA Security Rule requirements
Footnotes:
[1] See Sec VII. References
[2] See Sec VIII, Attachment 1
[3] Direct link to UC's HIPAA Glossary: http://policy.ucop.edu/doc/1110170
[4] See Sec VIII, Attachment 2
[5] Direct link to UC's HIPAA Administrative Requirements Policy: http://policy.ucop.edu/doc/1110159
[6] See Sec VIII, Attachment 3