HIPAA Security Rule Regulations in Force as of April 21, 2005
The Health Insurance Portability and Accountability Act (HIPAA) regulations relating to the security of our electronic patient information (i.e., ePHI or electronic Protected Health Information) are now in effect. The information covered by this portion of the HIPAA regulations includes any ePHI stored on any type of electronic device or storage media or sent across our networks and covers both our use of the information and that of any business partners. These regulations require that we implement administrative, technical and physical safeguards that will protect this information from inappropriate use or disclosure and will keep it secure, reliable and available to authorized users whenever it is needed.
We have created a legal entity called the VCU Affiliated Covered Entity (or ACE) that is the focal point for all HIPAA Privacy and Security related activities. It is the ACE, which consists of VCUHS, Virginia Premier and a list of VCU components that must be compliant with HIPAA.
To prepare for compliance with the Security Rule, the Health System and the University have been intently reviewing the ways in which we use computerized patient data, reviewing the stipulations of the regulations and taking actions to meet these requirements. Representatives from all departments have contributed to these reviews and will continue to do so. Compliance with these regulations, as with our Joint Commission compliance, is not a one time event but is instead a continuing process. This is the first of ongoing communication about the ways in which we will work to keep our electronic patient information secure.
The risks to the information are many and substantial. For example, a personal computer that is connected to the Internet and is running Microsoft Windows without the protection of a firewall and real-time virus scanning is likely to be infected with a virus or worm in under 30 minutes. The viruses and worms that can infect computers now are very sophisticated and are being used to facilitate stealing peoples identities and for gathering other key information rather than only for disrupting our computer based activities. Protection against these threats requires a variety of approaches that vary from ACE-wide policies to individual awareness and daily action on the part of all members of the VCU ACE workforce.
The HIPAA regulation requires us to protect ePHI from any reasonably anticipated threat and to keep it correct and available. The activities associated with our Security Rule compliance effort involve a) steps to assure that only authorized personnel can access the data, b) processes to backup the information and recover it in case of problems, and c) processes to allow operations to continue if the information or access to it is lost temporarily.
The ACE has adopted the following three-level plan for complying with the regulations and (more importantly) protecting our patients information:
1)Enterprise Level protections
a.A group of policies and procedures has been drafted that addresses each of the major areas of the regulation and identifies our policy related to that topic and the personnel (by title) with responsibility for carrying out the policies. (These policies will be released as interim policies soon).
b.We continue to invest in central safeguards which protect our information and systems from intrusion and viruses (e.g., firewall, vulnerability scanner)
c.In many areas, we are assuring that the workstations are protected from viruses by central management of virus protection software and remote, network-wide software updates.
d.The Compliance Office along with Assurance Services (Audit) and the Information Systems Security groups will conduct a program of ongoing, periodic reviews of the enterprises systems and files containing patient data along with the practices in place for protecting this information.
2)Department and System Level
a.Each department that owns resources which hold patient data such as databases, workstations and files, is responsible for protecting this information by demonstrating that the required protections (e.g., access control, physical security, backup and recovery practices) are in place and documented.
b.Complete and maintain the inventories of computing assets owned by the department and which can contain patient data.
c.Follow-up on any security related weaknesses noted in the compliance assessment phase and logged to risk statements and work plans.
d.Assure that departmental information technology specialists and security liaisons have completed the online Security Rule training sessions.
e.Alert the Compliance Office whenever changes are being implemented to the systems and equipment used to store or transmit patient data.
3)Individual Level
a.The individual members of the ACE workforce must be aware of the mandate to protect the security of our patients data and must follow the policies and procedures associated with use of such information. Examples of the actions required from every member of the ACE workforce are:
i.Dont share logon ids and never tell anyone your passwords
ii.Logout or lock your workstation whenever you step away from it.
iii.Dont send email containing ePHI to anyone outside of the VCUHS email system.
iv.Use workstations that could access ePHI for business purposes only.
v.Report any concerns about security exposures or suspected breaches to the Help Desk or the Compliance Office.
For more information visit the VCU Compliance Offices HIPAA website at:
http://www.vcu.edu/hipaa
