Policy #: IT0001
Effective Date: 12/20/06
Last Revision Date: 12/5/13

UCSC HIPAA Security Rule Compliance Policy

| I-Purpose/Scope | II-Background | III-Definitions | IV-Detailed Policy Statement | V-Getting Help | VI-Applicability and Authority | VII-References | VIII-Attachments |

I.   PURPOSE/SCOPE

UC Santa Cruz is subject to the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule [1], which identifies legal requirements for the protection of electronic health information for health care providers and related entities. The purpose of this policy is to establish the requirement that all UCSC entities subject to the HIPAA Security Rule must implement an identified set of practices consistent with the UC HIPAA Information Security Policy.

In the event that this policy and the University of California's HIPAA Policies [1] do not agree, the University of California's HIPAA Policies are controlling.


II.   BACKGROUND

The HIPAA Security Rule, adopted in 2003, establishes safeguards to ensure the confidentiality of electronic protected health information (ePHI) as well as the appropriate access and use of this information.

UCSC's HIPAA Security Official, in consultation with the UCSC IT Security Committee, empowered the UCSC HIPAA Security Compliance Team to develop a common set of practices (the UCSC Practices for HIPAA Security Rule Compliance [2]) which, when fully implemented, would fulfill and demonstrate compliance with the HIPAA Security Rule. This group includes representatives from all campus units subject to the HIPAA Security Rule, Internal Audit, and ITS Security and management.

UCSC's HIPAA Security Official also recognized this group as the appropriate body to review and update these Practices annually, or more frequently in response to environmental or operational changes that affect the security of ePHI, as well as to determine whether each UCSC HIPAA entity has fully and appropriately implemented them.


III.   DEFINITIONS

The University of California's HIPAA Glossary [3] defines the following terms: 

  • Electronic Protected Health Information, or ePHI
  • Implementation Specifications
    • Addressable
    • Required

IV.   DETAILED POLICY STATEMENT

All UCSC entities subject to HIPAA Security Rule requirements must implement the UCSC Practices for HIPAA Security Rule Compliance [2] or, for addressable implementation specifications, identify compensating controls where it is not practical or possible to fully address the Practices as stated. Implementation of these Practices must be documented utilizing the UCSC HIPAA Security Rule Compliance Workbook [4], and must be reviewed and updated at least annually.


V.   GETTING HELP

For help with...

Contact...

... questions about this policy, including attachments

ITS Service Manager for Policy and Compliance: itpolicy@ucsc.edu, (831) 459-2779

... technical questions about implementing the UCSC Practices for HIPAA Security Rule Compliance

The ITS Support Center: itrequest.ucsc.edu, help@ucsc.edu, 459-HELP, or M-F 8AM-5PM, 54 Kerr Hall

ITS Divisional Liaisons and local computer support:
http://its.ucsc.edu/get-help/dls.html


VI.   APPLICABILITY AND AUTHORITY

This policy applies to all UCSC entities subject to HIPAA Security Rule requirements. The University of California HIPAA Administrative Requirements Policy [5] defines which UC entities and workforce members are subject to the HIPAA regulations and UC's systemwide HIPAA policies. At UCSC, entities to which the HIPAA Security Rule applies are determined through discussion with University Counsel and Internal Audit [6].

UCSC's HIPAA Security Official, on behalf of the Office of the Chancellor, is the campus authority for the HIPAA Security Rule Compliance Policy. This policy was originally reviewed and approved by the Campus Provost/Executive Vice Chancellor on 12/20/2006, and last reviewed 12/5/13. It will be reviewed every three years, or more frequently in response to significant changes in the law, policy, environment or operations.


VII.   REFERENCES

Federal

University of California

UC Santa Cruz


VIII.   ATTACHMENTS - All available online at http://its.ucsc.edu/policies/hipaa.html

Attachment 1: UCSC Practices for HIPAA Security Rule Compliance
Attachment 2: UCSC HIPAA Security Rule Compliance Workbook
Attachment 3: Current list of UCSC entities subject to HIPAA Security Rule requirements


Footnotes:

[1] See Sec VII. References
[2] See Sec VIII, Attachment 1
[3] Direct link to UC's HIPAA Glossary: http://policy.ucop.edu/doc/1110170
[4] See Sec VIII, Attachment 2
[5] Direct link to UC's HIPAA Administrative Requirements Policy: http://policy.ucop.edu/doc/1110159
[6] See Sec VIII, Attachment 3