Achieving HIPAA Security Regulations Compliance
January 2005
REQUIRED controls must be implemented by the covered entity in order to achieve compliance with the regulation.
ADDRESSABLE controls must be evaluated to determine if they are reasonable and appropriate for the covered entity. The covered entity must then must either implement, implement an alternative, or not implement the control. If the control is not reasonable and appropriate, the covered entity must document why the control is not reasonable and appropriate.
PART 1 includes documentation of the required and addressable HIPAA security controls implemented at The University of Iowa on a site-wide basis.
PART 2 includes policy, reference information, and samples to assist local units which are components of the "Hybrid Entity" at The University of Iowa with implementation of required and addressable security controls.
Questions about the implementation of security controls for protection of University of Iowa systems that handle electronic protected health information (i.e., Restricted-Health data), may be directed to the IT Security Office by calling 5-6332 or sending email to security@uiowa.edu
PART 1: Site implementation/documentation in support of compliance at the University of Iowa
Required Controls:
| CONTROL | IMPLEMENTATION | REFERENCES AND RESOURCES |
| Sanctions Policy | site | Security Framework Policy, Acceptable Use of Information Technology Resources Policy |
| Name a Security Officer | site | Roles and Responsibilities for Information Security |
| Incident Response Capability and Reporting Procedures | site | Security Incident Escalation Policy, CERT Team |
| Data Backup Policy | site and local* | Backup and Recovery Policy |
| Workstation use, access policy and procedures | site | Institutional Data Access Policy |
| Equipment disposal, re-use policy and procedures | site | TBD, see Sample Policies (doc) |
| Unique User ids for each person | site | Enterprise Login ID Standard |
| Strong authentication | site | Enterprise Password Policy |
| Policies and Procedures documented | site and local* | IT Policy Website (campus repository) |
| All documentation, including policy, reviewed and updated regularly, retained for 6 years, and made available to all affected persons. | site and local* | Information Security Program Plan |
*For controls requiring both site and local implementation, the local unit must develop procedures in line with the site policy.
Addressable Controls:
| CONTROL | IMPLEMENTATION | REFERENCES AND RESOURCES |
| Security reminders, training, and anti-virus resources | site | Security Education Resource Webpage, Security Framework Policy, Software Download Webpage, also see Sample Policies (doc) |
| Strong Password Policy | site | Enterprise Password Policy |
PART 2: Local implementation/documentation assistance in support of compliance at the University of Iowa.
Required Controls: The following controls must be implemented and documented at the local level. Reference documents, samples, and other available resources are listed to assist.
| CONTROL | REFERENCES AND RESOURCES |
| Conduct a formal Risk Assessment | Institutional Data Access Policy, Risk Assessment Template (doc), Sample Risk Assessment Report (pdf) Sample Risk Assessment Process (pdf) Information Protection Assessment Tool (xls) |
| Implement controls to reduce identified risks | HIPAA IT Security Plan (pdf) Sample Risk Assessment Report (pdf) |
| Develop procedures to review system activity logs, account privileges, account eligibility and duration, and incident records. | Security Framework Policy, Sample Policies (doc) |
| Develop a Disaster Recovery Plan | Enterprise IT Disaster Plan (includes unit/local DR plan instructions), Unit Disaster Plan Sample Forms (doc) |
| Develop an Emergency Operations Plan | Security Framework Policy, Sample Policies (doc) |
| Develop System Emergency Access Procedures | Sample Policies (doc) |
| Implement auditing of system activity and its regular review | Security Framework Policy, Sample Policies (doc) |
| Draw up Business Associate Contracts for non-university access to e-PHI | Refer to University of Iowa HIPAA Privacy Officer for assistance |
Addressable Controls: The local unit must decide if each item below is reasonable and appropriate for their environment, and then either implement, implement an alternative, or not implement the control. If the control is not reasonable and appropriate, the local unit must document why the control is not reasonable and appropriate. Reference documents, samples, and other available resources are listed to assist.
| CONTROL | REFERENCES AND RESOURCES |
| Employee Termination Procedures | Sample Termination Checklist (pdf) |
| Workforce supervision policy and procedures, background checks | Sample background check policy, Sample background check authorization form, Sample confidentiality agreement |
| Authorization policy and procedures for establishment and modification of access | Sample Policies (doc) |
| Login monitoring | Acceptable Use of Information Technology Resources Policy |
| Regular testing of contingency plans | Security Framework Policy |
| Perform data criticality analysis and classify data | Institutional Data Access Policy |
| Develop a facility (physical) security plan, including access control mechanisms, visitor control, and maintenance of records | Security Framework Policy, Sample Policies (doc) |
| Develop a system for equipment/inventory management | Sample Policies (doc) |
| Implement automatic logoff on machines | Security Framework Policy, Sample Policies (doc) |
| Utilize encryption for privacy in communications, and for data integrity | Security Framework Policy , Sample Policies (doc) |
| Develop/implement integrity controls for data | Institutional Data Access Policy, Security Framework Policy, Sample Policies (doc) |