|What you should do ||How you should do it |
|1||Determine if the Health Insurance Portability and Accountability Act Security Rule applies to you|
The Security Rule protects Electronic Patient Health Information
(ePHI) including, but not limited to:
- personally identifying information such as name, social security number, driver's license number, financial account number or credit card number.
- health care or health care payment information, reports, test results
- demographic information including address, date of birth, date of death, sex, e-mail, web address
- medical record number, insurance number
- dates of service, e.g., date of appointment, admission and discharge
If you create, store, manage, receive,
any ePHI information as defined above,
you are a "Covered Entity".
You will need to become Security Rule compliant by implementing specific
computer security safeguards.
You can use the HIPAA Security Survey to
determine if you need to be concerned about
The steps in the remainder of this document
will guide you to becoming
Security Rule compliant.
Note: If you have determined that this does not apply to you, you do not need to read further.
|2||If this applies to you, understand what Security Rule compliance means|
Your computing security practices need to be consistent with
|3||Assess and analyze your risk|
- Analyze your security practices against the guidelines to identify any deficiencies. Determine what additional measures, if any, are needed using the Security Self-assessment Checklist.
- The self-assessment needs to be repeated annually or as any major changes within a unit occur that might affect ePHI security.
|4||Develop policies and procedures |
Develop policies and procedures to address risk. Select and implement cost-effective controls, countermeasures and safeguards.
- File and database encryption are key
technologies for securing data.
Refer to the UC Encryption Guidelines
for details. UC has also
negotiated a contract with vendors for
Please refer to UC Encryption Tools purchasing agreements
|5||Train or retrain staff. |
New employees must be trained within 90 days of hire.
- Employees need to be retrained annually or as job descriptions change.
- Please take the "HIPAA Information Security" course using the UCI Training and Employee Development System (TED).
- Check with your supervisor for other HIPAA Security training courses that may be required by your unit.
|6||Manage the computing environment. |
Monitor and audit system and logs.
Monitor and resolve new risks.
|7||Respond to incidents. |
Report security incidents & breaches to the confidential message line: 1-888-456-7006
- Additionally, please follow the procedures defined under "Compromised Computer with Sensitive Data" available at Keeping Your Data Safe
|8||Do you have any Partner Agreements? |
- Chain of Trust Partner Agreements need to be developed with your legal counsel.
- Contract language should require the partner to maintain the confidentiality and integrity of the protected data.