HIPAA Security Policy & Guidelines
There is no silver bullet. In the event of a breach Yale is required to notify HHS, the patient, and in some cases, the media. The goal of these policies and guidelines is to enhance the security of our patients’ health information. These policies address the security of paper records and especially address electronic protected health information (ePHI). These policies apply to all faculty, staff, trainees and students in Yale University Covered Components (Schools of Medicine (excluding the School of Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology) and Nursing, University Health Services, Department of Psychology clinics and the Group Health Plan Component) who store, access, transmit or receive ePHI. You are responsible for complying with these policies.
If you are responsible for administration of an “above-threshold” system or responsible for controlling the access by other people to such a system, you need to register the system.
Upon request sent to firstname.lastname@example.org, ITS will run security scans against servers and installed applications to confirm they are configured securely.
Departments will be held responsible to appropriately manage their servers storing ePHI and meet all Yale security standards which include:
- OS and application security patches are to be applied soon after they are released and tested
- Antivirus mechanisms are to be in place and regularly updated
- Protection from external attacks by implementing a network security firewall – preferably by placing the server behind a dedicated commercial network firewall run by ITS
- Security vulnerabilities are to be monitored and protections from them applied as they become available
- Servers should be stored in the Yale ITS Data center and managed by ITS or administrators approved by ITS
- ISO/IA approves the delegation of IT administration (of ePHI systems) to IT staff other than ITS. The criteria for delegating IT administration to non-ITS staff includes :
- Is the staff experienced, trained and professional IT staff? Note that they need to have taken HIPAA Privacy & Security training.
- Do they hold any IT certifications or IT academic degrees?
- Or -- if they work for a vendor -- is the vendor certified and does it have a BAA (Business Associate Agreement) with ITS.
An above–threshold ePHI is a system that creates, accesses, transmits or receives:
- primary source ePHI,
- ePHI critical for treatment, payment or health care operations or
- any form of ePHI where the host system is configured to allow access by multiple people.
- a personal computer with a Microsoft Access database containing ePHI that is configured to allow access by more than one person,
- a departmental server containing ePHI,
- a computer system used to create, access, transmit or receive ePHI that is configured to allow access by a non–Yale vendor/contractor,
- a clinical care system which contains primary source ePHI, and
- a billing system which is critical for clinical operations.
Servers should be used whenever any one of the following conditions apply:
- You are storing the ePHI of 500 or more patients;
- Access to the ePHI is shared by more than one user;
- The files containing the ePHI comprise 500 GB of data or more.
- Exceptions must be approved by the Yale ITS Information Security Office (ISO).
In approved circumstances, the following requirements apply:
- The computer must subscribe to the ITS backup service
- The computer must be registered in the Information Security Office Systems Inventory
- The database or system must complete an Information Security Office Security Design Review