• Home
• Security

Security

ATTENTION:

HIPAA Security Updates and Reminders, Effective Immediately

Yale has updated its HIPAA Policies and Guidelines. All faculty and staff members, trainees, students and others in Yale University HIPAA Covered Components (Yale School of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology), Yale School of Nursing, University Health Services, Department of Psychology Clinics and the Group Health Plan component) must comply with all University HIPAA policies including these updates.

Please review and familiarize yourself with these updates.

In this section:

Overview Privacy Rule vs. Security Rule Above–Threshold ePHI systems HIPAA Security Policy and Guidelines

Policies/Procedures related to HIPAA Security HIPAA Security Training HIPAA Security References Local ITS Resources

---

 

HIPAA Security Rule Overview

The focus of the security rule is to the confidentiality, integrity, and availability of electronic protected health information (ePHI) that the Yale University covered components creates, accesses, transmits or receives.

ePHI is any Protected Health Information (PHI) which is stored, accessed, transmitted or received electronically. Hence, the “e” at the beginning of ePHI.

Confidentiality is the assurance that ePHI data is shared only among authorized persons or organizations.

Integrity is the assurance that ePHI data is not changed unless an alteration is known, required, documented, validated and authoritatively approved. Most important to HIPAA, data integrity ensures that we can rely on data in making medical decisions. It is an assurance that the information is authentic and complete, and that the information can be relied upon to be sufficiently accurate for its purpose.

Availability is the assurance that systems responsible for delivering, storing and processing critical ePHI data are accessible when needed, by those who need them under both routine and emergency circumstances.

Privacy vs. Security

HIPAA regulations cover both security and privacy. Security and privacy are distinct, but related.

• The Privacy rule focuses on the right of an individual to control the use of his or her personal information. Protected health information (PHI) should not be divulged or used by others against their wishes. The Privacy rule covers the confidentiality of PHI in all formats including electronic, paper and oral. Confidentiality is an assurance that the information will be safeguarded from unauthorized disclosure. The physical security of PHI in all formats is an element of the Privacy rule. See Guidelines for Physical Security: Paper Medical Records and PHI in All Formats.
• The Security rule focuses on administrative, technical and physical safeguards specifically as they relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access, whether external or internal, stored or in transit, is all part of the security rule.

HIPAA Security Updates and Reminders

Yale University is committed to providing the highest quality health care, which includes respecting patients’ and clinical research subjects’ rights to maintain the privacy of their health information. The standards for protecting patient health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA). Yale’s HIPAA policies are designed to ensure the appropriate security of all patient health information across the University, in compliance with the law. Yale’s HIPAA privacy and security compliance policies are available at www.hipaa.yale.edu.

You are responsible for complying with these policies. Learn more...

Policies and Procedures related to HIPAA Security

5100 HIPAA Security Anchor Policy: Electronic Protected Health Information (ePHI) Security Compliance

5111 Physical Security Policy

5111 PR.1 procedure: Physical Facility Security Plan for University and ITS Data Centers

5111 PR.2 procedure: Physical Access and Environmental Supports to Protected Health Information

5123 Electronic Communication of Health Related Information
(Email, Voice Mail and other Electronic Messaging Systems)

5123 PR.1 procedure: Communication of PHI via Electronic Messaging

5142 Information System Activity Review

5142 PR.1 procedure: Information Systems Activity Review Procedure

5143 Yale University IT Security Incident Response Policy

5033 Disclosure of PHI to Business Associates

5033 PR1 procedure: Disclosure of PHI to Business Associates

5033 PR1 procedure: Disclosure of PHI to Business Associates

1601 Information Access and Security

1601 PR.3 procedure: Access Control for Protect Health Information(ePHI)

1607 Information Technology Appropriate Use Policy

1607 PR.1 procedure: University Endorsed Encryption Implementations

1609 Media Control

1609 PR.1 procedure: Disposal of Media Containing Confidential or Protected Health Information

1610 Systems and Network Security Policy

1610 PR.1 procedure: Systems and Network Security Procedure

1610 PR.2 procedure: Disposal of Obsolete Computers and Peripheral