HIPAA Security Rule Compliance: IT0001
Effective Date: 12/20/06
Last Revision Date: 4/12/19

HIPAA Security Rule Compliance

| I-Purpose/Scope | II-Background | III-Definitions | IV-Detailed Policy Statement | V-Getting Help | VI-Applicability and Authority | VII-References | VIII-Attachments |

I.   PURPOSE/SCOPE

UC Santa Cruz (UCSC) is subject to the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which identifies legal requirements for the protection of electronic health information for health care providers and related entities. The purpose of this policy is to establish the requirement that all UCSC entities subject to the HIPAA Security Rule must implement an identified set of practices consistent with the UC HIPAA Information Security Policy.

In the event that this policy and the University of California's HIPAA Policies conflict, the University of California's HIPAA Policies take precedence.


II.   BACKGROUND

The HIPAA Security Rule, adopted in 2003, establishes safeguards to ensure the confidentiality of electronic protected health information (ePHI) as well as the appropriate access and use of this information.

UCSC's HIPAA Security Official, in consultation with the UCSC IT Security Committee, empowered the UCSC HIPAA Security Compliance Team to develop a common set of practices (the UCSC Practices for HIPAA Security Rule Compliance) which, when fully implemented, would fulfill and demonstrate compliance with the HIPAA Security Rule. This group includes representatives from all campus units subject to the HIPAA Security Rule, Internal Audit, and ITS Security and management.

UCSC's HIPAA Security Official also recognized this group as the appropriate body to review and update these Practices annually, or more frequently in response to environmental or operational changes that affect the security of ePHI, as well as to determine whether each UCSC HIPAA entity has fully and appropriately implemented them.


III.   DEFINITIONS

Terms used within the policy are defined in the University of California's HIPAA Glossary.


IV.   DETAILED POLICY STATEMENT

All UCSC entities subject to HIPAA Security Rule requirements must implement the UCSC Practices for HIPAA Security Rule Compliance or, for addressable implementation specifications, identify compensating controls where it is not practical or possible to fully address the Practices as stated. Implementation of these Practices must be documented utilizing the UCSC HIPAA Security Rule Compliance Workbook, and must be reviewed and updated at least annually.


V.   GETTING HELP

For help with...

Contact...

... questions about this policy, including attachments

Byron Walker, HIPPA Security Officer, (831) 459-3592 and Tamara Santos, Policy and Compliance Manager, (831)459-2779, or itpolicy@ucsc.edu.

... technical questions about implementing the UCSC Practices for HIPAA Security Rule Compliance

The ITS Support Center: itrequest.ucsc.edu, help@ucsc.edu, 459-HELP, or M-F 8AM-5PM, 54 Kerr Hall

ITS Academic Divisional Liaisons and local computer support:
http://its.ucsc.edu/get-help/dls.html


VI.   APPLICABILITY AND AUTHORITY

This policy applies to all UCSC entities subject to HIPAA Security Rule requirements. The University of California HIPAA Administrative Requirements Policy defines which UC entities and workforce members are subject to the HIPAA regulations and UC's systemwide HIPAA policies. At UCSC, entities to which the HIPAA Security Rule applies are determined through discussion with University Counsel and Internal Audit.

The Vice Chancellor for Information Technology is the campus authority for the HIPPA Rule Security Compliance policy, with implementation authority delegated to the HIPPA Security Officer.

This policy was originally reviewed and approved by the Campus Provost/Executive Vice Chancellor on 12/20/2006. This policy will be reviewed every five years, or more frequently in response to significant changes in the law, policy, environment or operations.


VII.   REFERENCES

Federal

University of California

UC Santa Cruz


VIII.   ATTACHMENTS - All available online at http://its.ucsc.edu/policies/hipaa.html

Attachment 1: UCSC Practices for HIPAA Security Rule Compliance
Attachment 2: UCSC HIPAA Security Rule Compliance Workbook
Attachment 3: Current list of UCSC entities subject to HIPAA Security Rule requirements

IX. REVISION HISTORY

4/12/19: Five year review: minor changes in formatting and language to meet new standards.

12/5/13: Modified the "purpose" section of the policy to state that UCSC entities subject to the HIPAA Security Rules must implement an identified set of "practices" consistent with the UC HIPAA Information Security Policy". Updated links.

1/5/11: Modified definitions and references in alignment with newly released UC HIPAA policies. Added statement regarding the event that UC HIPAA policies do not agree, UC's policies are controlling. Add role of UCSC HIPAA Security Officer to several sections. Minor modifications to Background and Detailed Policy Statement.

1/7/09: Link fixes

12/20/06: New Policy