Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 0 - General Rules

 

Title: Applicability Policy: SEC-00.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.104
Standard: General Provisions Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To document how and what OSU needs to be compliant with in regards to HIPAA Security.

Policy

Except as otherwise provided, the standards, requirements, and implementation specifications adopted under the HIPAA Security Rule apply to:

  • A health plan
  • A health care clearinghouse
  • A health care provider who transmits any health information in electronic form in connection with a transaction covered by the HIPAA Security Rule.

§164.104(a)
When a health care clearinghouse creates or receives PHI as a business associate of another covered entity, or other than as a business associate of a covered entity, the clearinghouse must comply with 45 CFR §164.105relating to organizational requirements for covered entities, including the designation of health care components of a covered entity.  §164.104(b)

Procedure

Since OSU does operate as a health care clearinghouse and a health care provider, both of which are covered entities under HIPAA, OSU will address each component and meet all requirements thereof.


top of page top

 

Title: Health Care Component Policy: SEC-00.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.105(a)(1)
Standard:Organizational Requirements Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To document how HIPAA applies to OSU and its official designation under the law.

Policy

Since OSU is a Hybrid entity under HIPAA, the requirements thereof only apply to the healthcare aspects of OSU.

OSU must ensure that a health care component of OSU complies with applicable requirements of §164.  In particular, and without limiting this Safeguard requirement, OSU must ensure that:

  • OSU’s health care component does not disclose PHI to another component of OSU to the same extent that it would be required under the Privacy Rule to protect such information if the health care component and the other component were separate and distinct legal entities;  §164.105(a)(2)(ii)(A)
  • OSU’s health care component does not disclose PHI to another component of OSU in circumstances in which the Security Rule would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities;  §164.105(a)(2)(ii)(B)
  • If a person performs duties for both the health care component in the capacity of a member of the workforce of such component and for another component of the entity in the same capacity with respect to that component, such workforce member must not use or disclose PHI created or received in the course of or incident to the member’s work for the health care component in a way prohibited by the Privacy Rule.  §164.105(a)(2)(ii)(C)
  • For purposes of the Enforcement Rule (subpart C of 45 CFR §160), pertaining to compliance and enforcement, OSU has the responsibility of complying with the Security, Breach and Privacy rules of HIPAA.  §164.105(a)(2)(iii)(A)
  • OSU is responsible for complying with §164.316(a) and §164.530(i), pertaining to the implementation of policies and procedures to ensure compliance with applicable requirements including the safeguard requirements as stated above.  §164.105(a)(2)(iii)(B)
  • OSU is responsible for complying with §164.314 and §164.504 regarding business associate arrangements and other organizational requirements.  §164.105(a)(2)(iii)(C)
  • OSU is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation in accordance with the previous bulleted item, provided that, if OSU designates one or more health care components, it must include any component that would meet the definition of a covered entity or business associate if it were a separate legal entity.  Health Care component(s) also may include a component only to the extent that it performs covered functions. §164.105(a)(2)(iii)(D)
Procedure

OSU is a hybrid entity.  OSU operates physicians clinics, which are a covered entity, and also operates a clearinghouse, separate from the clinics.  Both are owned and operated by the same legal entity.

OSU will maintain all required documentation in accordance with the above stated policy.

  • This includes, but not limited to all applicable policies with the Security Rule, Privacy Rule, Breach Notification Rule, Enforcement Rule, Business Associates and any other area within HIPAA.
  • The following Departments in OSU are defined as healthcare components and would meet the definition of a covered entity or a business associate if they were legal separate entities:
    • Academic Affairs
    • Administrative Services
    • Business Affairs
    • Center for Aerospace and Hyperbaric Medicine
    • Central Supply
    • Clinic Financial Services
    • Clinical Director
    • Clinical Education
    • Fiscal Affairs
    • Forensic Science/Human ID Lab
    • Health Access Network
    • Health Information Technology
    • Human Resources
    • Information Technology
    • Institutional Services
    • Internal Audits
    • Marketing and Communications
    • OSU Physicians Clinics
    • Pathology
    • Physical Plant
    • Research
    • Rural Health/Telehealth
    • Safety
    • Security/Campus Police
  • OSU must maintain a written or electronic record of a designation as required by §164.105(a) & (b).  §164.105(b)(2)(c)(1)
  • OSU must retain the documentation as required by the previous bulleted item for 6 years from the date of its creation or the date when it was last in effect, whichever is later.  OSU will keep all documentation written, or electronic within the HIPAA Compliance Office.  §164.105(b)(2)(c)(2)
  • All Employees or Agents of the above listed components of OSU shall adhere to all HIPAA Policies and Procedures as applicable.

top of page top

 

Title: Security Standards: General Rules Policy: SEC-00.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.306(a)
Standard: Security Standards for the protection of PHI Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish security standards in which OSU will be compliant in respect to all Electronic Protected Health Information.

Policy
  1. OSU must ensure the confidentiality, integrity, and availability of all electronic PHI that OSU or any business associate creates, receives, maintains or transmits.  §164.306(a)(1)
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.  §164.306(a)(2)
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule.  §164.306(a)(3)
  4. Ensure compliance with the Security Rule by OSU’s workforce.  §164.306(a)(4)
  5. Flexibility of approach; OSU and its business associates may use any security measures that allow OSU or the business associate(s) to reasonably and appropriately implement the standards and implementation specification as specified in the Security Rule.  §164.306(b)(1)
  6. In deciding which security measures to use, OSU or the business associate(s) must take into account the following factors:
    1. The size, complexity, and capabilities of OSU or the business associate(s).  §164.306(b)(2)(i)
    2. OSU or the business associate(s) technical infrastructure, hardware, and software security capabilities.  §164.306(b)(2)(ii)
    3. The cost of Security measures.  §164.306(b)(2)(iii)
    4. The probability and criticality of potential risks to electronic PHI.  §164.306(b)(2)(iv)
  7. OSU and its business associates must comply with the applicable standards as provided in this policy and in §164.308, §164.310, §164.312, §164.314, §164.316 with respect to all electronic PHI.  §164.306(c)
Procedure

OSU will ensure the confidentiality, integrity, and availability of all electronic PHI using computer hardware, software, and other technology as appropriate.

OSU will keep up to date on all operating system updates to help alleviate the latest security risks, and will utilize firewall protection.  OSU will also utilize the Internal Audit department, and may also hire an outside party to conduct audits, and the HIPAA Compliance Office will also conduct its own audits to ensure compliance with all applicable laws and regulations.

OSU will train staff on appropriate measures of use and disclosures, and appropriate security precautions and on policies and procedures, and utilize technology where needed to assist in maintaining compliance with the Privacy Rule in regards to use and disclosure.

OSU and its Business Associates will address proper security measures as outlined in this policy and will comply with all associated Security Rule regulations.


top of page top

 

Title: Implementation Specifications Policy: SEC-00.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.306(d)
Standard: Security Standards for the protection of PHI Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish the method of how OSU will implement the required and addressable implementation specifications within the security rule.

Policy

Implementation specifications are either required or addressable.  §164.306(d)(1)

  • When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes required implementation specifications, OSU must implement the specified implementation specifications.  §164.306(d)(2)
  • When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes addressable implementation specifications, OSU must:  §164.306(d)(3)
    • Assess whether each implantation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic PHI; and  §164.306(d)(3)(i)
    • As applicable to OSU:
      • Implement the implementation specification if reasonable and appropriate; or  §164.306(d)(3)(ii)(A)
      • If implementing the implementation specification is not reasonable and appropriate  §164.306(d)(3)(ii)(B)
        • Document why it would not be reasonable and appropriate to implement the implementation specification; and  §164.306(d)(3)(ii)($)(1)
        • Implement an equivalent alternative measure if reasonable and appropriate.  §164.306(d)(3)(ii)($)(2)
  • OSU must review and modify the security measures implemented under the Security Rule as needed to continue provision of reasonable and appropriate protection of electronic PHI, and update documentation of such security measures in accordance with §164.316(b)(2)(iii).  §164.306(e)
Procedure
  1. OSU will implement a policy and procedure on every required and addressable Security Implementation Standard.
  1. For the addressable standards, OSU will follow the policy as stated above, and document the reasonable and appropriate steps whatever they may be and implement those steps that OSU has found appropriate.
  1. OSU will review and modify as necessary all security measures on no less than an annual basis, and will document all changes to policy and procedures.

top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube