12-13 HIPAA Safeguards

About CMU's "HIPAA safeguards policy"

This policy establishes a framework that identifies critical processes to protect protected health information and electronic records to bring CMU compliant with the Health Insurance Portability and Accountability Act of 1996.

NOTE ABOUT PDF VERSION: The PDF is the official text of the policy. If there are any incongruities between the text of the HTML version and the text within the PDF file, the PDF will be considered accurate and overriding.

ACCESS/DOWNLOAD PDF VERSION

Attachments are included in the PDF file.
Effective date of this revision: November 21, 2019
Contact for more information: Office of HIPAA Compliance 989-774-2829, hipaa@cmich.edu

BACKGROUND

Central Michigan University (CMU) is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) law and regulations. CMU’s business activities include both covered and non-covered functions. CMU has designated itself as a Hybrid Entity.

According to the law, all CMU officers, employees and agents of units within the Hybrid Entity must preserve the integrity and the confidentiality of individually identifiable health information (IIHI) pertaining to each individual. This IIHI is considered protected health information (PHI) and shall be safeguarded in compliance with the requirements of the Security and Privacy Rules and standards established under HIPAA.

The HIPAA law and regulations require CMU to have appropriate administrative, technical, and physical safeguards in place to protect the privacy, integrity, and confidentiality of PHI. CMU’s policy is to maintain appropriate safeguards as required by HIPAA.

For additional information on the measures CMU is implementing in order to comply with this legislation, visit the official HIPAA web site at HIPAA.cmich.edu

PURPOSE

In accordance with HIPAA Privacy and Security Rules, CMU has adopted this policy to fulfill its duty to protect the privacy, confidentiality, and integrity of PHI and electronic PHI (ePHI). CMU is committed to: safeguarding the flow of health information needed to provide and promote high quality health care, protecting the public’s health and well-being, and carrying out the necessary functions of the self-funded health plan, as required by law. This policy identifies the most significant physical, administrative and technical safeguards to be followed by CMU’s Hybrid Entity units.

DEFINITIONS

Confidentiality: PHI/ePHI is not available or disclosed to unauthorized persons.

Integrity: PHI/ePHI is not altered or destroyed in an unauthorized manner.

Availability: PHI/ePHI is accessible and usable on demand by an authorized person.

Hybrid Entity: A department or unit designated as within the HIPAA: Hybrid Entity Defined Policy #12-2. (See the policies at: HIPAA.cmich.edu)

Individually Identifiable Health Information (IIHI): A subset of health information, including demographic information collected from a patient/client/employee, that is created or received by a health care provider, health plan or employer and relates to the past, present, or future physical or mental health or condition of a patient/client/employee, the provision of health care to a patient/client/employee, or the past, present or future payment for the provision of health care to a patient/client/employee, and which identifies the patient/client/employee, or with respect to which there is a reasonable basis to believe that the information can be used to identify the patient/client/employee.

All other terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.

POLICY

1.0 CMU will take reasonable precautions to prevent, detect, contain, and correct security violations. All workforce members and agents of CMU Hybrid Entity designation shall adhere to CMU policies and HIPAA rules in order to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI and ePHI.

2.0 The HIPAA risk management program shall include a collaboration between the HIPAA Privacy Officer, HIPAA Security Officer, and Chief Information Security Officer to recommend and monitor the effectiveness of security safeguards intended to reduce risks and vulnerability to a reasonable and appropriate level in order to:

a. To ensure the confidentiality, integrity, and availability of all PHI/ePHI that is created, received, maintained, or transmitted.
b. To identify and protect against reasonably anticipated threats to the security or integrity of the information.
c. To protect against reasonably anticipated, impermissible uses or disclosures.
d. To ensure workforce compliance with HIPAA Rules and the CMU HIPAA policies.

3.0 The HIPAA Security Officer will identify and maintain an inventory of the information systems that house ePHI. When a new system is implemented a security and privacy review will be conducted.

4.0 CMU will regularly perform reviews of information system activity (e.g., audit logs and trails, information system activity records, facility access records) for the purpose of detecting:

a. Unauthorized access to ePHI.
b. Unusual patterns of use or activity.
c. Other potential security violations.

5.0 The HIPAA Privacy Officer and HIPAA Security Officer will collaborate with other HIPAA Security Incident Response Team (HSIRT) members to assure procedures are developed, implemented, and documented to:

a. Identify possible security incidents.
b. Respond to suspected or known security incidents.
c. Mitigate, to the extent practical, harmful effects of known security incidents.
d. Document and report security incidents and their outcomes.

6.0 Personnel who are allowed access to ePHI assume personal responsibility to maintain the integrity and security of the system and the network they use, by following established guidelines for personal login, password, and workstation controls.

7.0 Documentation of risk assessment and system activity reviews shall be retained for at least six years, in accordance with HIPAA documentation requirements.

8.0 All workforce members and agents of CMU Hybrid units shall be guided by the examples in Exhibit A to safeguard PHI/ePHI. This list of examples in Exhibit A is not all inclusive. Exhibit A may be updated and revised by the HIPAA Privacy Officer and HIPAA Security Officer as necessary and upon technological changes.

Central Michigan University reserves the right to make exceptions to, modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines relative to this subject.