Boston University and the HIPAA Security Requirements

ADMINISTRATIVE SAFEGUARDS

Security Management Process

Implement policies and procedures to prevent, detect, contain and correct security violations. § 164.308(a)(1)

Boston University will protect the confidentiality, integrity, and availability of ePHI by maintaining appropriate safeguards for the networks and systems that handle ePHI.

BU Information Security, Office of General Counsel and the HIPAA Security and Privacy Officers are responsible for the development and maintenance of policies and procedures designed to prevent, detect, contain and correct security violations. Those policies are found in the Data Protection Standards and this document.

Organizations wishing to create, receive, store, process, or transmit ePHI must adhere to the requirements found in these documents. No computer system, network, electronic device or software may contain ePHI until the proper Risk Analysis has been completed and the solution is approved by BU Information Security.

Risk Analysis

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information held by the Covered Component. R – § 164.308(a)(1)(ii)(A)

BU Information Security is responsible for the development and maintenance of the HIPAA Assessment and Approval process.

Covered Components, under the direction and with the assistance of BU Information Security, must complete this process before a new system may be used to process or contain ePHI. Contact BU Information Security for details and assistance.

Risk Management

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). R – § 164.308(a)(1)(ii)(B)

Covered Components, under the direction and with the assistance of BU Information Security, will maintain a continuous risk management program to ensure that appropriate security measures are implemented and maintained to protect the confidentiality, integrity, and availability of ePHI. Security measures will be commensurate with the risks to the information systems that store, process, transmit or receive ePHI, and will be designed to reduce the risks to ePHI to reasonable and manageable levels.

At a minimum, the risk management program will include the following:

  • Formal risk analyses that documents and prioritizes risks to the information assets that store, process, transmit, or receive ePHI.[See Risk Analysis]
  • Selection and implementation of reasonable, appropriate, and cost effective security measures to manage or mitigate identified risks.
  • Security awareness training for Workforce members and other support staff.
  • A regular system update program to ensure that systems and software are protected from new software vulnerabilities.
  • Regular review, evaluation and, if necessary, revision of security safeguards.[See Evaluation]

Sanction Policy

Apply appropriate sanctions against Workforce members who fail to comply with the security policies and procedures of the Covered Component. R – § 164.308(a)(1)(ii)(C)

Protected Health Information is classified as Restricted Use data by the BU Data Protection Standards. As such, the sanctions defined in the Data Protection Standards apply.

The sanctions apply to all Workforce members of Boston University who have access to ePHI. The “Workforce” comprises all employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Covered Components (including support units), is under the direct control of the Covered Components (including support units), whether or not they are paid by BU.

Information System Activity Review

Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. R – § 164.308(a)(1)(ii)(D)

In order for a system at BU to be approved for use with PHI, it will be required to be connected to automated security monitoring and reporting solutions as defined by BU Information Security.

Administrators of such systems must also review activity and security logs on a reasonable periodic basis to confirm normal and expected system use. Potential security violations must be reported to BU Information Security. [See HIPAA Data Security Incident & Breach Policy]

Assigned Security Responsibility

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the Covered Component or business associate. R – § 164.308(a)(2)

The BU HIPAA Security Officer and Privacy Officer is: Quinn Shamblin, Executive Director & Information Security Officer

Responsibilities

  • Ensure that the necessary and appropriate HIPAA related policies are developed and implemented to ensure that PHI is properly used and disclosed (privacy) and to safeguard the integrity, confidentiality, and availability of ePHI (security).
  • Act as a spokesperson and single point of contact for Boston University in all issues related to HIPAA security and privacy

Each Covered Component is required to designate a senior management official to act as the Security Champion for that Covered Component. The Security Champion is responsible for understanding the requirements of the Data Protection Standards and of this policy and coordinating with the BU HIPAA Security Officer and Privacy Officer or designee(s) to confirm that the requirements are properly met.

Workforce Security

Implement policies and procedures to ensure that all members of its Workforce have appropriate access to electronic Protected Health Information, as provided under [the Information Access Management standard], and to prevent those Workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic Protected Health Information. R – § 164.308(a)(3)

Covered Components must have procedures to ensure that all Workforce members who need access to electronic Protected Health Information (ePHI) have the appropriate access while preventing all others from obtaining access to ePHI.

Authorization and/or Supervision

Implement procedures for the authorization and/or supervision of Workforce members who work with electronic Protected Health Information or in locations where it might be accessed. A – § 164.308(a)(3)(ii)(A)

Covered Components must have procedures for supervision of Workforce members who do not need access to ePHI while working in areas where ePHI is accessible.

Workforce Clearance Procedure

Implement procedures to determine that the access of a Workforce member to electronic Protected Health Information is appropriate. A – § 164.308(a)(3)(ii)(B)

Covered Components must have procedures to determine that the access of a Workforce member to ePHI is appropriate. Access to ePHI must be authorized only to those Workforce members with a legitimate “need to know” based on job responsibilities and the results of a screening process. Workforce members’ access must be limited to the minimum level of access required to perform their job functions.

Background Checks – Boston University conducts background checks as part of the hiring process. When a Covered Component is bringing in a potential Workforce member (including a volunteer or trainee) for a role involving access to ePHI, additional checks should be completed. These may include: confirmation of claimed academic and professional qualifications, professional license validation, credit check, criminal background check, or other state or federal database checks. The type and number of verification checks conducted must be based, among other things, on the probable access to ePHI, and an assessment of risk, cost, benefit, and feasibility, as well as existing protective measures.

Confidentiality Statements – All members of the Workforce at Boston University are required to follow all applicable laws and Boston University policies and procedures. This includes the proper security and confidentiality of PHI with which the member may come into contact.

Employment Agencies – When temporary workers are provided via an agency, the agency should give appropriate written assurances that it has reviewed the candidate’s background and has performed appropriate verification checks. It is the responsibility of each Covered Component to ensure that the temporary worker adheres to all applicable Boston University policies and procedures.

Termination Procedures

Implement procedures for terminating access to electronic Protected Health Information when the employment or engagement of a Workforce member ends or as required by determinations made in accordance with the Workforce clearance procedures. A – § 164.308(a)(3)(ii)(C)

Covered Components must have procedures to properly remove access to ePHI from Workforce members when their employment or engagement ends or when the access is no longer appropriate. The process must include:

  • Internal notification to ensure that the appropriate personnel are made aware that the user’s access to ePHI is no longer required.
  • Recovery of all forms of access to PHI that was granted or assigned to that user. Examples include, but are not limited to, keys, access tokens, and identification badges.
  • Disabling the user’s accounts on networks and systems.
  • Changing administrative or other shared passwords of which the user has been made aware.

If account access must be immediately revoked, call the IS&T Help Center at 617-353-HELP

Information Access Management

Implement policies and procedures for authorizing access to electronic Protected Health Information that are consistent with the applicable requirements in the Privacy Rule. R – § 164.308(a)(4)

This policy ensures that Workforce members needing access to ePHI have appropriate access, and provides procedural safeguards to ensure that access to ePHI is properly restricted.

Before access to ePHI can be provided to a user, that user must be authorized for the appropriate minimum level of access that their position requires. Access to ePHI and systems that store or process ePHI requires a valid and authorized user account and password. Users are required to authenticate themselves to these systems using their unique user accounts.

Isolating Health Care Clearinghouse Functions

If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic Protected Health Information of the clearinghouse from unauthorized access by the larger organization. R – § 164.308(a)(4)(ii)(A)

Not applicable. Boston University performs no clearinghouse functions.

Access Authorization

Implement policies and procedures for granting access to electronic Protected Health Information, for example, through access to a workstation, transaction, program, process, or other mechanism. A – § 164.308(a)(4)(ii)(B)

  • The head of each Covered Component will designate in writing those managers/supervisors within that entity who may authorize individual Workforce members to have access to ePHI and at what levels. No manager/supervisor (except the head of the Covered Component) may authorize access for her/himself. The manager/supervisor must approve access levels for individuals in writing.
  • Each Covered Component is required to document authorization, including any changes in access, for each Workforce member to whom access is granted.
  • Each Covered Component is required to grant users only the minimum level of access necessary based on their responsibilities.
  • Each Covered Component’s Security Champion is required to ensure that each Workforce member has received training and understands appropriate information handling, usage, and safeguards, and is aware of all applicable HIPAA Privacy and Security policies and procedures.
  • Managers and supervisors of individuals who need access to ePHI must complete an Access Authorization Form for the appropriate system. The request must be approved by the manager or supervisor and the individual, and forwarded to the appropriate security administrator.
  • § All Access Authorization Forms should contain confirmation that the Workforce member has received the necessary training.
  • § The Covered Component’s Security Champion will resolve any conflicts or discrepancies regarding the level of access requested, in consultation with the HIPAA Privacy Officer and HIPAA Security Officer as needed.

      Access Establishment and Modification

      Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. A – § 164.308(a)(4)(ii)(C)

      Each system containing ePHI must have one or more security administrators who will be responsible for controlling access to the ePHI once such access has been authorized in writing. All new access requests, modifications, and authorizations for such requests will be documented on an Access Authorization Form.

      • The security administrator is responsible for establishing, modifying, and removing access to the ePHI maintained in the system based upon proper documented authorization as well as maintaining the Access Authorization Form documenting the specific level of access granted.
      • Once access has been granted, the security administrator will keep the approved Access Authorization Form on file for a minimum of six years from the time access is terminated [164.316(b)(2)(i)].
      • Occasionally a user’s required access may change. Covered Component Managers and supervisors may request access modifications for a user. Such requests for changes will be submitted on the Access Authorization Form.
      • Managers and supervisors will notify the security administrator immediately when a user’s employment or term of engagement has terminated or when the current level of access to ePHI is no longer required. This notice may be via e-mail or any other expedient method, but it must be in writing.
        • The security administrator will be responsible for ensuring that access is removed within 24 hours of receiving the written request. In the event of involuntary termination or in other special circumstances, access may need to be removed immediately.
      • Covered Component management will review user access levels on an annual basis to ensure that they are appropriate and certify to the HIPAA Security Officer that such reviews have occurred.

      Security Awareness and Training

      Implement a security awareness and training program for all members of its Workforce (including management). R – § 164.308(a)(5)

      All Covered Component Workforce members must complete the security awareness and training program, and all Covered Components must certify annually that their Workforce members have completed training. Completion of the training program is required before access can be granted to ePHI.

      Boston University Information Security has developed web-based training on HIPAA Privacy and Security. The security awareness and training program will be updated from time to time and new versions may be used to meet the security reminder requirement.

      Security Reminders

      Periodic security awareness updates. A – § 164.308(a)(5)(ii)(A)

      BU Information Security is responsible for issuing periodic security and awareness updates to the entire Boston University community and to the BU HIPAA Workforce in particular.

      Protection from Malicious Software

      Procedures for guarding against, detecting, and reporting malicious software. A – § 164.308(a)(5)(ii)(B)

      All systems that contain or may be used to access ePHI are required to have anti-malware software installed, active and kept up-to-date. They are also required to have an active process in place to keep the operating system and installed software up-to-date.

      The full set of requirements is provided in the Minimum Security Standards (1.2.E), part of the Data Protection Standards.

      Log-in Monitoring

      Procedures for monitoring log-in attempts and reporting discrepancies. A – § 164.308(a)(5)(ii)(C)

      Security monitoring software is required for any system that stores ePHI. Procedures for monitoring log-in attempts and reporting discrepancies that are in place. Every time an end user logs in to a system that stores or processes ePHI, that access and any of their activities on that system may be logged.

      Users should remain alert for any suspicious access attempts from their own workstations and workstations around them. Suspicious behavior should be reported to BU Information Security. [See HIPAA Data Security Incident & Breach Policy]

      Password Management

      Procedures for creating, changing, and safeguarding passwords.

      This requirement is met by the Access Management and Authentication Requirements (1.2.C), part of the Data Protection Standards.

      Summary: Everyone must have their own account, accounts may not be shared, strong passwords are required, you may change your password any time you wish using the established process for changing your password. If anyone, even your supervisor, demands you password, refer them to this document or have them call BU Information Security. If you know or suspect that your account has been compromised, report it to BU Information Security immediately. [See HIPAA Data Security Incident & Breach Policy]

      Password audits may be performed on a periodic or random basis by the HIPAA Security Officer, or delegate. If a password is guessed or cracked during an audit, the user will be required to change the password.

      Security Incident Procedures

      Implement policies and procedures to address security incidents. R – § 164.308(a)(6)

      BU Information Security is responsible for maintaining incident response capabilities, drafting associated policies and procedures, and for responding to incidents. Covered Components are required to ensure that all members of the Workforce understand how to report a Data Security Incident. If any person knows or suspects that there has been a Data Security Incident, it is crucial that he or she report that event immediately. See the Data Security Incident & Breach Reporting section for details on what to do.

      Response and Reporting

      Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the Covered Component; and document security incidents and their outcomes. R – § 164.308(a)(6)(ii)

      Members of the Workforce are responsible for reporting known or suspected security issues. [See Security Incident Procedures above and Data Security Incident & Breach Reporting]

      BU Information Security is responsible for responding to incidents in accordance with established procedures.

      Organizations are responsible for facilitating incident response and providing assistance where required.

      Contingency Plan

      Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic Protected Health Information. R – § 164.308(a)(7)

      Contingency Planning recognizes that a disaster may occur at some point in the future and develops detailed plans to deal with that disaster, providing an agreed level of interim capability. Included in Contingency Planning are procedures to successfully recover critical business and information assets following a disaster. The presence or absence of such plans impacts the risk associated with operating any system.

      Covered Components are responsible for Contingency Planning. Covered Components may leverage services available from IS&T in order to help meet Contingency Planning objectives.

      Data Backup Plan

      Establish and implement procedures to create and maintain retrievable exact copies of electronic Protected Health Information. R – § 164.308(a)(7)(ii)(A)

      To ensure the recoverability of ePHI and other critical information assets, Covered Components must maintain formal data backup procedures.

      Disaster Recovery Plan

      Establish (and implement as needed) procedures to restore any loss of data. R – § 164.308(a)(7)(ii)(B)

      Managers assigned responsibility for a system or application are required to coordinate the development of a Disaster Recovery Plan (DRP) for that system or application.

      The DRP must be structured to ensure restoration within an acceptable time period for the disaster recovery classification assigned to that application. [See Applications and Data Criticality Analysis]

      When developing DRPs, planners must consider disasters of a scale that operation in the original location may not be possible for an extended period. Restoration times must be agreed to by both the organization running the system and organization(s) using the system before being finalized. These times should be determined by the Risk Analysis.

      Copies of the DRP must be readily available to appropriate personnel in the event of an emergency. Specifically, copies should be maintained in secure locations at the normal processing site, the contingency processing site(s), and at an off-site storage location.

      While ultimately the details or even existence of a Disaster Recovery Plan is a business decision based on risk considerations, BU Information Security recommends that management not accept a system or application without an approved DRP.

      Emergency Mode Operation Plan

      Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic Protected Health Information while operating in emergency mode. R – § 164.308(a)(7)(ii)(C)

      The Covered Component must develop formal procedures to enable the continuation of critical healthcare processes and the protection of ePHI while operating in emergency mode. Examples of situations that may trigger emergency mode operations include but are not limited to: bomb threat, civil disturbance, communications failure, earthquake, explosion, fire, flood, gas/chemical leak, hurricane/wind storm, medical emergency, noxious fumes, power failure, strike, terrorist activity, and workplace violence.

      Testing and Revision Procedures

      Implement procedures for periodic testing and revision of contingency plans. (The three plans above.) A – § 164.308(a)(7)(ii)(D)

      The DRP and Emergency Operations Plan must be tested as appropriate and updated whenever changes occur that materially affect the system. This includes, but is not limited to changes in personnel, procedures, hardware, software, or operating environment.

      At a minimum, an annual review must be conducted and documented by the responsible manager to determine if the plan needs to be revised.

      The frequency of the reviews should be commensurate with the criticality of the asset or function protected as determined by the criticality analysis. Contact lists must be reviewed quarterly.

      All major changes require approval by the HIPAA Security Officer.

      Applications and Data Criticality Analysis

      Assess the relative criticality of specific applications and data in support of other contingency plan components. A – § 164.308(a)(7)(ii)(E)

      All systems and applications are important to the University. However, certain applications are more important than others to operational continuity. A Business Impact Analysis (BIA) must be performed and documented in order to classify a system/application for disaster recovery purposes. The BIA is designed to describe the impact on Covered Components if the system/application cannot operate due to a major disaster in any one of Boston University’s processing centers.

      Representatives of the application owner, application support, and platform support organizations must complete the BIA as early as possible in the development life cycle of the system/application.

      They must select an appropriate disaster recovery category based upon the criteria established in the standard IS&T prioritization matrix. An elaborate analysis is not required, however, the results must support the classification requested. Document any assumptions made.


      Evaluation

      Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic Protected Health Information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule]. R – § 164.308(a)(8)

      Systems that have been approved for ePHI will be reviewed every two years to ensure their continued compliance with the policies. At the same time, or upon the initiative of an involved party, the Boston University HIPAA policy (this document) may also be evaluated to ensure continued viability in light of technological, environmental, or operational changes that could affect the security of electronic Protected Health Information. To the extent that an organization has established its own policies and procedures, those too will need to be evaluated by the Security Champion of that organization.

      If any change is made to any HIPAA policy—enterprise or organizational—it must be made in accordance with the requirements below [See Documentation].

       

      PHYSICAL SAFEGUARDS

      Facility Access Controls

      Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. R – § 164.310(a)(1)

      It is the responsibility of the Covered Components to protect their ePHI by controlling and monitoring physical access to their sites, while ensuring that properly authorized access is allowed. Physical access to University data centers will be controlled and monitored by the data center staff.

      Contingency Operations

      Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. A – § 164.310(a)(2)(i)

      Covered Components must have procedures that allow access to facilities by appropriate personnel during a disaster or declared emergency situation to facilitate the retrieval of the backup media, hardware, and software necessary for the recovery of systems and restoration of lost data. [See Disaster Recovery Planning]

      Facility Security Plan

      Covered Components must have procedures that allow access to facilities by appropriate personnel during a disaster or declared emergency situation to facilitate the retrieval of the backup media, hardware, and software necessary for the recovery of systems and restoration of lost data. [See Disaster Recovery Planning] A – § 164.310(a)(2)(ii)

      Each Covered Component must develop a Facility Security Plan specific to its local environment. This plan must implement procedures to protect their facilities and equipment from unauthorized physical access, tampering, or theft.

      The controls included in the plan should not prohibit building access to authorized disaster recovery personnel retrieving media, systems, software, or hardware necessary for the recovery of critical information systems during a declared emergency mode situation or following a disaster. Physical access by individuals retrieving back-up media should be logged whenever feasible. Logs should include name of person, date, materials removed, and other appropriate details.

      Emergency Access Procedures – Whenever possible, emergency personnel should be escorted by a guard or another authorized person. Physical access by emergency personnel should be logged whenever feasible.

      Security Review – The physical security of any site containing ePHI resources will be periodically reviewed by BU Information Security with the assistance of the Covered Components and appropriate support personnel, especially after any significant change that may have affected the security of data and applications resident at that site.

      Property Control

      Inventory – An inventory of information resources that access or contain ePHI will be maintained by the Covered Component. A reconciliation of the information resources inventory should take place annually, coordinated by the Security Champion for that Covered Component.

      Security – Information resources that contain ePHI must be stored in (or transmitted through) only those locations where physical access to the device (or network) can be controlled and monitored.

      Access Control and Validation Procedures

      Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. A – § 164.310(a)(2)(iii)

      Physical access to buildings or areas within a building that are occupied by a Covered Component must be controlled. Access control must be effective 24 hours a day, seven days a week. Acceptable methods for controlling access include key-locked or attended entrances and keyed physical access cards. Covered Components must implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor access control.

      Covered Components must also implement procedures for control of access to software programs for testing and revision. These procedures will be contained in the Covered Component’s Facility Security Plan.

      Additional controls are as follows:

      • Entrances and exits that are not guarded or attended must remain locked at all times and must have automatic closers. Doors must not be propped open.
      • The access control procedures in place must be followed by each person entering a controlled access facility. Personnel with access to restricted areas must not allow unauthorized individuals access those restricted areas. Personnel must be vigilant and challenge and report unidentified persons who have gained, or seek to gain, access. [See HIPAA Data Security Incident & Breach Policy]
      • All access to University data centers must be logged. Where automated logging systems (card access systems) do not exist, logging must be done manually. Logs should include name of person, date, and other appropriate details.
      • When practicable and depending on the value and sensitivity of the equipment and data housed in the building, entrances, exits, windows and other means of access into the building should be wired for alarms.
      • When practicable and depending on the value and sensitivity of the equipment and data housed in the building, entrances, exits and strategic areas of the building should be monitored.

      Maintenance Records

      Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). A – § 164.310(a)(2)(iv)

      Each Covered Component is responsible for ensuring that all repairs, modifications, and maintenance performed on the physical access controls of its facilities are tracked and logged. The physical security controls include doors, locks, fences, badge readers, and surveillance equipment.

      Workstation Use

      Each Covered Component is responsible for ensuring that all repairs, modifications, and maintenance performed on the physical access controls of its facilities are tracked and logged. The physical security controls include doors, locks, fences, badge readers, and surveillance equipment. R – § 164.310(b)

      Members of the Covered Components’ Workforce and other users of workstations and computer systems that access, store, process, receive, or transmit ePHI, must comply with Boston University’s policies concerning access to its computing, network, and information resources [See References]. This requirement is met in particular by the Data Protection Standards.

      Be aware of the following:

      • Boston University has the right to monitor the use of its Electronic Resources, including access to BU data (ePHI and non-ePHI), activity on the BU network and activity of devices on the BU network.
      • Boston University may revoke any user’s privileges, including but not limited to, user accounts and access to secured areas, when it is deemed necessary to preserve the integrity, confidentiality, and availability of facilities, user services, and data.
      • Workstations that contain or have access to ePHI should not be located in publicly accessible areas. If a workstation must be located in a public area, extra precautions must be taken to ensure that unauthorized access to ePHI is not possible from the workstation and that safeguards exist to prevent incidental viewing of ePHI. [See the Data Protection Requirements (1.2.D) and Minimum Security Standards (1.2.E), part of the Data Protection Standards]

      Workstation Security

      Implement physical safeguards for all workstations that access electronic Protected Health Information, to restrict access to authorized users. R – § 164.310(c)

      This requirement is met in part by the Minimum Security Standards (1.2.E), part of the Data Protection Standards. Some topics in the minimum security standards that apply here include: portable devices must be encrypted before they may be used to store ePHI, shared accounts are not permitted, users may not share their password with anyone, servers must be kept in physically locked locations, users must protect electronic media (CDs, DVDs, disks, etc.) and portable devices (smart phones, USB devices, laptops, etc.) from theft or copying by keeping them securely in a locked location when not in use, and many other important topics.

      There are a few additional items below that apply to ePHI and are not included in the Minimum Security Standards.

      • Requirements for Covered Component workstations in publicly accessible places
        • Password Protected Screen Saver – Workstations in publicly accessible areas that access ePHI must have password-protected screen savers with an inactivity time-out period. Users must either activate the password protected screen saver or log off whenever the device is left unattended.
        • When located in publicly accessible areas, workstations that are easily moved should be secured by restraints such as locking cables.
      • Logon Messages – Covered Component Workstations that can access ePHI must display an appropriate message and warning upon logon. The message will indicate that the system is to be used only by individuals authorized for access and unauthorized access is prohibited.

      Reporting of Inappropriate or Unauthorized Use, Theft or Loss – Users suspecting any inappropriate or unauthorized use of Boston University workstations should immediately report such incident or misuse to the Covered Component’s HIPAA Security Champion and to BU Information Security. All thefts and vandalism of workstations and associated equipment must be immediately reported to the Boston University Police, the Security Champion and BU Information Security. [See Data Security Incident & Breach Reporting]

      Device and Media Controls

      Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic Protected Health Information into and out of a facility, and the movement of these items within the facility. R – § 164.310(d)(1)

      This requirement is met by the Data Protection Requirements (1.2.D), part of the Data Protection Standards.

      Summary: All ePHI must be permanently removed from any electronic device (hard drive, storage system, removable disk, floppy drive, CD ROM, DVD, PCMCIA card, memory sticks, and all other forms of media and storage devices.) before the devices can be discarded or re-used. Permanently removing data from electronic device is done by a process called “wiping”. See the standard for more details

      The movement of devices containing ePHI into, out of, and within the Covered Components must be tracked and logged. [See Accountability]

      Disposal

      Implement policies and procedures to address the final disposition of electronic Protected Health Information, and/or the hardware or electronic media on which it is stored. R – § 164.310(d)(2)(i)

      This requirement is met by the Data Protection Requirements (1.2.D), part of the Data Protection Standards.
      Summary: Covered Components must ensure that devices or media do not contain ePHI before disposing of such devices or media. The device or media must be physically destroyed if it contains ePHI and cannot be “wiped”. See the Data Protection Standards for more details. Contact BU Information Security with questions or for assistance

      Destruction of all electronic media and information systems containing ePHI must be tracked and logged. [See Accountability]

      Media Re-use

      Implement procedures for removal of electronic Protected Health Information from electronic media before the media are made available for re-use. R – § 164.310(d)(2)(ii)

      This requirement is met by the Data Protection Requirements (1.2.D), part of the Data Protection Standards.
      Summary: Covered Components must ensure that devices or media do not contain ePHI before reuse of such devices or media. If the device or media contains ePHI, the Covered Component must use a data destruction tool approved by BU Information Security to permanently remove the ePHI. Reformatting a disk is not sufficient. This applies to returning equipment to a vendor; do not rely on other parties to destroy or obliterate media. See the Data Protection Standards for more details.

      The use of a data destruction tool before reuse is not required if the media is used for system or data backup, as long as the media is stored and transported in a secured environment.

      Accountability

      Maintain a record of the movements of hardware and electronic media and any person responsible therefore. Maintain a record of the movements of hardware and electronic media and any person responsible therefore. A – § 164.310(d)(2)(iii)

      Covered Components must implement a procedure to track and maintain records of the internal and external movement of storage devices and media containing ePHI. Storage Devices include hard drives, removable disks, floppy drives, CD ROMs, DVDs, PCMCIA cards, memory sticks, memory cards and all other forms of media and storage devices.

      If a Covered Component chooses to allow ePHI to be stored to portable media, tracking is required throughout the full life cycle of the storage device and includes:

      • Qualifying and approving the device for use for storing ePHI.
      • Tracking and logging the movement of such devices into, out of, and within the Covered Components. Recording the chain of custody and each party responsible for the device or media while in transit.
      • Recording the destruction of all electronic media and devices.

      Data Backup and Storage

      Create a retrievable, exact copy of electronic Protected Health Information, when needed, before movement of equipment. A – § 164.310(d)(2)(vi)

      In order to protect data that may be mission critical, Covered Components must make an exact retrievable copy of the ePHI before relocation of a storage device or media containing ePHI, if the device or media contains the last remaining copy of the data.

       

      TECHNICAL SAFEGUARDS

      Access Control

      Implement technical policies and procedures for electronic information systems that maintain electronic Protected Health Information to allow access only to those persons or software programs that have been granted access rights. R – § 164.312(a)(1)

      This requirement is met by the BU Data Protection Standards. While the full set of Data Protection Standards contains applicable requirements, the document entitled “Access Management and Authentication Requirements (1.2.C)” contains controls that are particularly relevant to this section.

      Unique User Identification

      Assign a unique name and/or number for identifying and tracking user identity. R – § 164.312(a)(2)(i)

      This requirement is met by the Access Management and Authentication Requirements (1.2.C), part of the Data Protection Standards.

      Emergency Access Procedure

      Establish (and implement as needed) procedures for obtaining necessary electronic Protected Health Information during an emergency. R – § 164.312(a)(2)(ii)

      This requirement is met by the Disaster Recovery Plan and Emergency Mode Operation Plan sections above.

      Automatic Logoff

      Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. A – § 164.312(a)(2)(iii)

      This requirement is met by the Minimum Security Standards (1.2.E), part of the Data Protection Standards.

      Summary: Where the Covered Component has its own applications, those applications must be configured to either lock the session or log out after a period of time designated for system or screen locking for Restricted Use data in the Minimum Security Standards.

      Encryption and Decryption

      Implement a mechanism to encrypt and decrypt electronic Protected Health Information. (This item refers to data at rest. Data in motion is covered by Transmission Security.) A – § 164.312(a)(2)(iv)

      This requirement is met by the Data Protection Requirements (1.2.D) and Minimum Security Standards (1.2.E), part of the Data Protection Standards.

      Summary: ePHI must be encrypted if stored on any portable device. In some cases, ePHI stored on a centrally supported server or system do not need to be encrypted if there are other compensating controls approved by BU Information Security.

      Audit Controls

      Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic Protected Health Information. R – § 164.312(a)(1)

      Boston University has the right to monitor the use of its electronic resources, including access to BU data (ePHI and non-ePHI), activity on the BU network and activity of devices on the BU network.

      Systems being used to store or process ePHI must support proper access and security auditing. Contact BU Information Security for guidance and services available to support this requirement.

      Integrity

      Implement policies and procedures to protect electronic Protected Health Information from improper alteration or destruction. R – § 164.312(c)(1)

      Technology is available from IS&T and other sources that allows an organization to monitor the integrity of a system and files on that system. Such technologies must be implemented before the system may be approved for use with ePHI. Contact BU Information Security for details of currently available integrity monitoring solutions.

      Mechanism to Authenticate ePHI

      Implement electronic mechanisms to corroborate that electronic Protected Health Information has not been altered or destroyed in an unauthorized manner. A – § 164.312(c)(2)

      Technology is available from IS&T and other sources that allows an organization to monitor the integrity of a system and files on that system. Such technologies must be implemented before the system may be approved for use with ePHI. Contact BU Information Security for details of currently available integrity monitoring solutions.

      Person or Entity Authentication

      Implement procedures to verify that a person or entity seeking access to electronic Protected Health Information is the one claimed. R – § 164.312(d)

      Systems at Boston University rely on your password as the proof that you are indeed who you claim to be. This is why it is so important that you have a good password and that you never share that password.

      The full password requirements are set forth in the Access Management and Authentication Requirements (1.2.C), part of the Data Protection Standards.

      Summary: You need to select a strong password, don’t use the same password at BU that you use other places, do not share your password with anyone (not your friend, your colleague, your assistant, your secretary, your IT support contact, no one), no user-level account may be set up as a shared account, you should change your password regularly.

      Administrative passwords are particularly sensitive and must be changed regularly. They also must be changed when someone who knows that password leaves Boston University or the Covered Component, or a person’s need for administrator-level access expires.

      If an account or password is suspected to have been compromised, report the incident to BU Information Security and change the password. [See Data Security Incident & Breach Reporting]

      BU Information Security may periodically review password strength by attempting to guess or crack a password. If a password is guessed or cracked during one of these reviews, the user will be required to change that password.

      Transmission Security

      Implement technical security measures to guard against unauthorized access to electronic Protected Health Information that is being transmitted over an electronic communications network. R – § 164.312(e)(1)

      ePHI must be protected when it is at rest (stored and application, on a hard drive or network share for example) and when it is in motion (being sent across a network or the Internet). The requirements of this section are met by the Data Protection Standards.

      Integrity Controls

      Implement security measures to ensure that electronically transmitted electronic Protected Health Information is not improperly modified without detection until disposed of. A – § 164.312(e)(2)(i)

      Solutions used to transmit ePHI electronically must incorporate controls to detect if that data has been in any way modified during transmission. Where a Covered Component provides its own solutions for handling ePHI, those solutions must meet this requirement.

      For example, DataMotion SecureMail is a secure, encrypted email solution provided by BU for the purpose of transmitting regulated or sensitive data if it must be sent via email (not generally recommended). SecureMail encrypts your message before it leaves your computer and maintains an audit record of all access to that message. That file cannot be modified or changed in any way without detection before being received by the intended recipient.

      Encryption

      Implement a mechanism to encrypt electronic Protected Health Information whenever deemed appropriate. A – § 164.312(e)(2)(ii)

      This requirement is met by the Data Protection Requirements (1.2.D) and the Minimum Security Standards (1.2.E), part of the Data Protection Standards.

      Summary:

      • ePHI must be encrypted if stored on any portable device (laptop, USB drive, memory chip, smart phone, etc.)
      • If ePHI must be sent via email (not recommended) a secure, encrypted email solution must be used except in the limited circumstances described in “BU HIPAA Policy Addendum 1-3-2 – Release of Health Information in Electronic Form”
      • ePHI must be encrypted when being transmitted through the public Internet (not via email)
      • ePHI must generally be encrypted when being transmitted across the network even internal to BU (although exceptions to this requirement may be granted by BU Information Security if sufficient compensating controls exist)
      • It is highly recommended that ePHI be encrypted even when stored on a centrally-provided servers
      • Two-factor authentication is required for central systems containing ePHI for multiple users.

      See the Data Protection Standards for full details.

      See also BU Data Protection –Transmission of Electronic Health Information and the Authorization form.


       

      ORGANIZATIONAL REQUIREMENTS

      Policies and Procedures

      Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A Covered Component or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. R – § 164.316(a)

      This document works together with the BU Data Protection Standards to meet this requirement for all Covered Components.

      Documentation

      (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. R – § 164.316(b)(1)

      Formal policy documentation must be maintained to ensure that the Covered Component has a clear understanding of management directives with respect to HIPAA compliance.

      Where a Covered Component chooses to establish its own internal policies to provide greater guidance two that organization, those policies must be separately documented and maintained by the HIPAA Security Champion for that Covered Component.

      Time Limit

      Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. R – § 164.316(b)(2)(i)

      If any change is made to any HIPAA policy—enterprise or Covered Component—the previous version of the policy must be archived and remain available for 6 years starting from when the new policy goes into effect.

      • The BU HIPAA Security Officer is responsible for maintaining historical copies of the enterprise policies.
      • The Security Champion for a given Covered Component is required to maintain historical copies of any local policies.

      Availability

      Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. R – § 164.316(b)(2)(ii)

      • The HIPAA Security Officer is responsible for maintaining and promulgating enterprise policies.
      • The Security Champion is responsible for maintaining and promulgating any policies established at the Covered Component level.

      Updates

      Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic Protected Health Information. R – § 164.316(b)(2)(iii)

      The Boston University HIPAA Policy (this document) will be evaluated when needed to ensure continued viability in light of technological, environmental, or operational changes that could affect the security of electronic Protected Health Information (ePHI).

      To the extent that a Covered Component has established its own policies and procedures, those will need to be evaluated by the Security Champion of that Covered Component.

      The policy evaluation process may be triggered by one or more of the following events:

      • Changes in the HIPAA Security Rule or Privacy Rule or other applicable law;
      • Changes in technology, environmental processes, or business processes that may affect HIPAA Security policies or procedures;
      • A material security violation, breach, or other security incident.