Policy #: IT0001
Effective Date: 12/20/06
Last Revision Date: 12/1/10
Purpose/Scope | Background | Definitions | Detailed Policy Statement | Getting Help | Applicability and Authority | References | Attachments |
UC Santa Cruz is subject to the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule , which identifies legal requirements for the protection of electronic health information for health care providers and related entities. The purpose of this policy is to establish the requirement that all UCSC entities subject to the HIPAA Security Rule must implement an identified set of practices in order to fulfill and demonstrate compliance with the requirements of this legislation.
In the event that this policy and the University of California's HIPAA Policies  do not agree, the University of California's HIPAA Policies are controlling.
The HIPAA Security Rule, adopted in 2003, establishes safeguards to ensure the confidentiality of electronic protected health information (ePHI) as well as the appropriate access and use of this information.
UCSC's HIPAA Security Official, in consultation with the UCSC IT Security Committee, empowered the UCSC HIPAA Security Compliance Team to develop a common set of practices (the UCSC Practices for HIPAA Security Rule Compliance ) which, when fully implemented, would fulfill and demonstrate compliance with the HIPAA Security Rule. This group includes representatives from all campus units subject to the HIPAA Security Rule, Internal Audit, and ITS Security and management.
UCSC's HIPAA Security Official also recognized this group as the appropriate body to review and update these Practices annually, or more frequently in response to environmental or operational changes that affect the security of ePHI, as well as to determine whether each UCSC HIPAA entity has fully and appropriately implemented them.
The University of California's HIPAA Glossary  defines the following terms:
IV. DETAILED POLICY STATEMENT
All UCSC entities subject to HIPAA Security Rule requirements must implement the
UCSC Practices for HIPAA Security Rule Compliance  or, for addressable implementation specifications,
identify compensating controls where it is not practical or possible to
fully address the Practices as stated. Implementation of these Practices must be documented utilizing the UCSC HIPAA Security Rule Compliance Workbook , and must be reviewed and updated at least annually.
V. GETTING HELP
For help with...
... questions about this policy, including attachments
ITS Service Manager for Policy and Compliance: email@example.com, (831) 459-2779
... technical questions about implementing the UCSC Practices for HIPAA Security Rule Compliance
ITS Divisional Liaisons and local computer support:
VI. APPLICABILITY AND AUTHORITY
This policy applies to all UCSC entities subject to HIPAA Security Rule requirements. The University of California HIPAA Administrative Requirements Policy  defines which UC entities and workforce members are subject to the HIPAA regulations and UC's systemwide HIPAA policies. At UCSC, entities to which the HIPAA Security Rule applies are determined through discussion with University Counsel and Internal Audit .
UCSC's HIPAA Security Official, on behalf of the Office of the Chancellor, is the campus authority for the HIPAA Security Rule Compliance Policy. This policy was originally reviewed and approved by the Campus Provost/Executive Vice Chancellor on 12/20/2006. It will be reviewed every three years, or more frequently in response to significant changes in the law, policy, environment or operations.
University of California
UC Santa Cruz
VIII. ATTACHMENTS - All available online at http://its.ucsc.edu/policies/hippa.html
Attachment 1: UCSC Practices for HIPAA Security Rule Compliance
Attachment 2: UCSC HIPAA Security Rule Compliance Workbook
Attachment 3: Current list of UCSC entities subject to HIPAA Security Rule requirements
 See Sec VII. References
 See Sec VIII, Attachment 1
 Direct link to UC's HIPAA Glossary: http://www.ucop.edu/ucophome/coordrev/policy/hipaa_glossary.pdf
 See Sec VIII, Attachment 2
 Direct link to UC's HIPAA Administrative Requirements Policy: http://www.ucop.edu/ucophome/coordrev/policy/hipaa_adminreqs.pdf
 See Sec VIII, Attachment 3