Security Tip of the Week
Regulatory Compliance - HIPAA
HIPAA, the Health Insurance Portability and Accountability Act, affects everyone at the University of Rochester. As a healthcare provider, workforce members at URMC and Affiliates have regulatory responsibility to comply with HIPAA and maintain the privacy of patients’ protected health information (PHI). However all UR faculty, staff, students and volunteers are patients themselves at some point either here at URMC or elsewhere and are therefore affected by HIPAA. HIPAA is a good example of how the privacy of patient information intersects with IT security. In fact, HIPAA Security regulations with their IT focus were enacted to ensure compliance with the HIPAA Privacy Rule.
IT security controls are required to maintain not only the confidentiality but also the integrity and availability of PHI in the following ways:
- Confidentiality—requires role-based access which permits users to have only the access they need to perform their job (HIPAA Privacy Rule requires adherence to a minimum necessary standard). Strong passwords, session inactivity time outs, privacy and security training, proper user access templates, encryption of PHI whether in transit or at rest, appropriate physical security of data centers, servers, etc. are all required to maintain the confidentiality of PHI. Users may only access PHI when they have a clinical or business need to do so. Users who are not in compliance with HIPAA will be subject to sanctions as required by these federal regulations.
- Integrity—physicians and others caring for patients must have confidence that the data they are using to base medical decisions is accurate and not able to be manipulated, deleted or tampered with by those who could potentially cause damage to a system. Proper controls of access provisions and to systems are important to maintain the integrity of PHI.
- Availability—in order to be sure that systems containing protected health information are available as needed, business continuity plans, back up of systems, data recovery, emergency preparedness, business impact analysis, etc. are all necessary components.
With the launch of the eRecord system at Strong Memorial and Highland Hospitals all users as well the Medical Center’s Information Systems staff must be vigilant in their roles to maintain the confidentiality, availability and integrity of the medical information of over one million patients.
For more information on HIPAA, see the URMC intranet site at: http://intranet.urmc-sh.rochester.edu/policy/HIPAA/
Do you have ideas that should be shared as security tips of the week? If so, please send them to UnivIT_SP@ur.rochester.edu.