Loading...

Table of Contents

Purpose

These minimum standards serve as a supplement to the Information Resources Use and Security Policy, specifically for devices that are used to work with HIPAA protected data. Adherence to the standards will increase the security of systems and help safeguard university information technology resources. These minimum standards exist in addition to all other university policies and federal and state regulations governing the protection of the university's data.

Compliance with these requirements does not imply a completely secure system. Instead, these requirements should be integrated into a comprehensive system security plan.

Scope

These standards apply to all devices, physical or virtual, that are used to process, view, modify, store, or otherwise interact with any data that is classified as Protected Health Information (PHI).

Audience

All persons with access to any computing device that falls within the scope defined in the previous section of this document.

Minimum Standards

Note that the implementation specifications provided in the Security and Privacy rules may be addressable or required. Some standards do not have any implementation specifications. These standards are just the minimum for HIPAA compliance. In some cases, additional controls may be necessary to comply with university policy. All devices must also meet the Minimum Security Standards for Systems.

Administrative Safeguards

Security Management
Standard: Security Management |LF||LF|§164.308 (a)(1)|RF||RF|
Implement policies and procedures to prevent, detect, contain, and correct security violations.
Security Management
Implementation Specification
Type
Reference
Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held. |LF||LF|UT note: This assessment is required annually per university policy. The Information Security Office may be able to conduct the assessment, depending upon the size and scope of the covered environment.|RF||RF|
Required
§164.308 (a)(1)(ii)(A)
Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
These measures must, at a minimum:
  • protect against any reasonably anticipated threat or hazard to the security or integrity of such information,
  • ensure compliance by employees, and
  • protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under Subpart E of the HIPAA Privacy Rule.
Required
§164.308 (a)(1)(ii)(B)
Sanction policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures.
Required
§164.308 (a)(1)(ii)(C)
Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. |LF||LF|UT note:Splunk might be useful for log aggregation, searching, and custom activity alerts, and is available free of charge to campus.|RF||RF|
Required
§164.308 (a)(1)(ii)(D)
 
Assign Security Responsibility
Standard: Assign Security Responsibility |LF||LF|§164.308 (a)(2)|RF||RF|
Identify the security official who is responsible for the development and implementation of required policies and procedures.
Implementation Specification
Type
Reference
N/A
 
 
 
Workforce Security
Standard: Workforce Security |LF||LF|§164.308 (a)(3)|RF||RF|
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under §164.308 (a)(4), and to prevent those workforce members who do not have access under §164.308 (a)(4) of the HIPAA Security Rule from obtaining access to electronic protected health information.
Workforce Security
Implementation Specification
Type
Reference
Authorization and/or supervision: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Addressable
§164.308 (a)(3)(ii)(A)
Workforce clearance procedure: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Addressable
§164.308 (a)(3)(ii)(B)
Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in §164.308 (a)(3)(ii)(B).
Addressable
§164.308 (a)(3)(ii)(C)
 
Information Access Management
Standard: Information Access Management |LF||LF|§164.308 (a)(4)|RF||RF|
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of Subpart E of the HIPAA Privacy Rule.
Information Access Management
Implementation Specification
Type
Reference
Access authorization: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
Addressable
§164.308 (a)(4)(ii)(B)
Access establishment and modification: Implement policies and procedures that, based upon access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Addressable
§164.308 (a)(4)(ii)(C)
 
Security Awareness and Training
Standard: Security Awareness and Training |LF||LF|§164.308 (a)(5)|RF||RF|
Implement a security awareness and training program for all members of its workforce (including management).
Security Awareness and Training
Implementation Specification
Type
Reference
Implement a security awareness and training program that, at a minimum, covers:
  • procedures for creating, changing and safeguarding passwords;
  • periodic security updates;
  • procedures for protecting against, detecting, and reporting malicious software; and
  • procedures for monitoring login attempts and reporting discrepancies.
Addressable
§164.308 (a)(5)(ii)(A-D)
 
Security Incident Procedures
Standard: Security Incident Procedures |LF||LF|§164.308 (a)(6)|RF||RF|
Implement policies and procedures to address security incidents.
Security Incident Procedures
Implementation Specification
Type
Reference
Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. |LF||LF|UT note: All incidents must be reported immediately to the Information Security Office (abuse@utexas.edu).|RF||RF|
Required
§164.308 (a)(6)(ii)(A)
 
Contingency Plan
Standard: Contingency Plan |LF||LF|§164.308 (a)(7)|RF||RF|
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Contingency Plan
Implementation Specification
Type
Reference
Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. |LF||LF|UT note: An on-site CrashPlan service is available to staff, faculty, and departments. When combined with a user-managed encryption key, this service can be used with HIPAA data.|RF||RF|
Required
§164.308 (a)(7)(ii)(A)
Disaster recovery plan: Establish (and implement as needed) procedures to restore any loss of data.
Required
§164.308 (a)(7)(ii)(B)
Emergency mode operation plan: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. |LF||LF|UT note: The Information Security Office provides a disaster recovery planning service, UT Ready, and business impact analysis templates for business continuity and disaster recovery documentation/planning.|RF||RF|
Required
§164.308 (a)(7)(ii)(C)
Testing and revision procedures: Implement procedures for periodic testing and revision of contingency plans.
Addressable
§164.308 (a)(7)(ii)(D)
Applications and data criticality analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components. |LF||LF|UT note: The Information Security Office provides AppReg to register and assess the criticality of in-house developed applications.|RF||RF|
Addressable
§164.308 (a)(7)(ii)(E)
 
Evaluation
 
Standard: Evaluation |LF||LF|§164.308 (a)(8)|RF||RF|
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which the security policies and procedures meet the requirements of §164.308 (a).
Evaluation
Implementation Specification
Type
Reference
N/A
 
 
 
Business Associate Contracts and Other Arrangements
 
Standard: Business Associate Contracts and Other Arrangements |LF||LF|§164.308 (b)(1)|RF||RF|
A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314 (a) that the business associate will appropriately safeguard the information.
Business Associate Contracts and Other Arrangements
Implementation Specification
Type
Reference
Written contract or other arrangement: Document the satisfactory assurances required through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314 (a).
Required
§164.308 (b)(4)

Physical Safeguards

Facility Access Controls
Standard: Facility Access Controls |LF||LF|§164.310 (a)|RF||RF|
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Facility Access Controls
Implementation Specification
Type
Reference
Contingency operations: Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Addressable
§164.310 (a)(2)(i)
Facility security plan: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Addressable
§164.310 (a)(2)(ii)
Access control and validation procedures: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Addressable
§164.310 (a)(2)(iii)
Maintenance records: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
Addressable
§164.310 (a)(2)(iv)
 
Workstation Use
Standard: Workstation Use |LF||LF|§164.310 (b)|RF||RF|
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Workstation Use
Implementation Specification
Type
Reference
N/A
 
 
 
Workstation Security
Standard: Workstation Security |LF||LF|§164.310 (c)|RF||RF|
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Workstation Security
Implementation Specification
Type
Reference
N/A
 
 
 
Device and Media Controls
Standard: Device and Media Controls |LF||LF|§164.310 (d)|RF||RF|
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
Device and Media Controls 
Implementation Specification
Type
Reference
Disposal: Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
Required
§164.310 (d)(2)(i)
Media re-use: Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
Required
§164.310 (d)(2)(ii)
Accountability: Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Addressable
§164.310 (d)(2)(iii)
Data backup and storage: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
Addressable
§164.310 (d)(2)(iv)

Technical Safeguards

Access Control
Standard: Access Control |LF||LF|§164.312 (a)|RF||RF|
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
Access Control
Implementation Specification
Type
Reference
Unique user identification: Assign a unique name and/or number for identifying and tracking user identity. |LF||LF|UT note: University-issued EIDs may be used for this purpose.|RF||RF|
Required
§164.312 (a)(2)(i)
Emergency access procedure: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Required
§164.312 (a)(2)(ii)
Automatic logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Addressable
§164.312 (a)(2)(iii)
Encryption and decryption: Implement a mechanism to encrypt and decrypt electronic protected health information. |LF||LF|UT note: Only encryption methods/products listed at Approved Encryption Methods ar compliant with policy. The use of any other encryption methods/products not listed is only permissible with an approved Exception to Policy Request. All devices used to store confidential (Category I) university data must be encrypted using an approved method.|RF||RF|
Addressable
§164.312 (a)(2)(iv)
 
Audit Controls
Standard: Audit Controls |LF||LF|§164.312 (b)|RF||RF|
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Audit Controls
Implementation Specification
Type
Reference
N/A
 
 
 
Integrity
Standard: Integrity |LF||LF|§164.312 (c)|RF||RF|
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Integrity
Implementation Specification
Type
Reference
Mechanism to authenticate electronic protected health information: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Addressable
§164.312 (c)(2)
 
Person or Entity Authentication
Standard: Person or Entity Authentication |LF||LF|§164.312 (d)|RF||RF|
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Person or Entity Authentication
Implementation Specification
Type
Reference
N/A
 
 
 
Transmission Security
Standard: Transmission Security |LF||LF|§164.312 (e)|RF||RF|
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Transmission Security
Implementation Specification
Type
Reference
Integrity controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
Addressable
 
Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. |LF||LF|UT note: Section 11.5.2 of the Information Resources Use and Security Policy mandates that all confidential (Category I) university data be encrypted in transmission over a network. Exceptions are only permissible with an approved Exception to Policy Request.|RF||RF|
Required by
university policy
 

Policies and Procedures; Documentation Requirements

Policies and Procedures
Standard: Policies and Procedures |LF||LF|§164.316 (a)|RF||RF|
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306 (b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
Policies and Procedures
Implementation Specification
Type
Reference
N/A
 
 
 
Documentation
Standard: Documentation |LF||LF|§164.316 (b)(1)|RF||RF|
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Documentation
Implementation Specification
Type
Reference
Time limit: Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. |LF||LF|UT note: Records should not be kept longer than is required. When no longer required, records must be destroyed or erased in a secure manner.|RF||RF|
Required
§164.316 (b)(2)(i)
Availability: Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
Required
§164.316 (b)(2)(ii)
Updates: Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
Required
§164.316 (b)(2)(iii)
 

UT Specific Policy Requirements for Category I Systems

Backups
Standard: Backups |LF||LF|MSS 4.1|RF||RF|
Backups
Implementation Specification
Type
Reference
Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores.
Required
MSS 4.1.2
 
Change Management
Standard: Change Management |LF||LF|MSS 4.2|RF||RF|
Change Management
Implementation Specification
Type
Reference
There must be a change control process for systems configuration. This process must be documented.
Required
MSS 4.2.1
System changes should be evaluated prior to being applied in a production environment.
Required
MSS 4.2.2
Patches must be tested prior to installation in the production environment if a test environment is available.
Addressable
MSS 4.2.3
 
Computer Virus Prevention
Standard: Computer Virus Prevention |LF||LF|MSS 4.3|RF||RF|
Computer Virus Prevention
Implementation Specification
Type
Reference
Anti-virus software must be installed and enabled.
Required
MSS 4.3.1
Install and enable anti-spyware software. Installing and enabling anti-spyware software is required if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine.
Addressable
MSS 4.3.2
Anti-virus and, if applicable, anti-spyware software should be configured to update signatures at least daily.
Required
MSS 4.3.3
Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software.
Required
MSS 4.3.4
 
System Hardening
Standard: System Hardening |LF||LF|MSS 4.5|RF||RF|
System Hardening
Implementation Specification
Type
Reference
Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured.
Required
MSS 4.5.1
Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures.
Required
MSS 4.5.2
If automatic notification of new patches is available, that option should be enabled.
Required
MSS 4.5.3
Services, applications, and user accounts that are not being utilized should be disabled or uninstalled.
Required
MSS 4.5.4
Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed.
Required
MSS 4.5.5
If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this.
Required
MSS 4.5.8
Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
Required
MSS 4.5.9
The required university warning banner should be installed.
Required
MSS 4.5.10
Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control.
Required
MSS 4.5.11
Strong password requirements will be enabled. Passwords must comply with section 15.2.2.3 of the Information Resources Use and Security Policy.
Required
MSS 4.5.13
Apply the principle of least privilege to user, administrator, and system accounts.
Required
MSS 4.5.14
 
Security Monitoring
Standard: Security Monitoring |LF||LF|MSS 4.6|RF||RF|
Security Monitoring
Implementation Specification
Type
Reference
If the operating system comes with a means to log activity, enabling and testing of those controls is required.
Required
MSS 4.6.1
Operating system and service log monitoring and analysis should be performed routinely. This process should be documented. 
Required
MSS 4.6.2
The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered).
Required
MSS 4.6.3
All administrator or root access must be logged. 
Required
MSS 4.6.4

Security Review for New Software and Appliances

Departments evaluating the implementation of new software or appliances involving HIPAA protected data should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products.

Non-Compliance and Exceptions

If any of the minimum standards contained within this document cannot be met on systems manipulating HIPAA protected data, an Exception Process must be initiated that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. (See Security Exception Report.) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.

University of Texas at Austin employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Austin employees are required to comply with state laws and regulations.

The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)

Information Resources Use and Security Policy (IRUSP)

UT Austin Acceptable Use Policy (AUP)

UT Austin Minimum Security Standards for Systems

UT Austin Data Classification Standard

UT Austin Information Security Exception Process

The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA)

The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA)

Health Information Technology Act (HITECH)

Title 45 of the Code of Federal Regulations (CFR)

Definitions

Health Information
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
  1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Individually Identifiable Health Information
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
    1. That identifies the individual; or
    2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Protected Health Information (PHI)
Protected health information means individually identifiable health information:
  1. Except as provided in paragraph (2) of this definition, that is:
    1. Transmitted by electronic media;
    2. Maintained in electronic media; or
    3. Transmitted or maintained in any other form or medium.
  2. Protected health information excludes individually identifiable health information:
    1. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
    2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
    3. In employment records held by a covered entity in its role as employer; and
    4. Regarding a person who has been deceased for more than 50 years.
'Addressable
When a standard adopted in §164.308 (Administrative safeguards), §164.310 (Physical safeguards), §164.312 (Technical safeguards), §164.314 (Organizational requirements), or §164.316 (Policies and procedures and documentation requirements) includes addressable implementation specifications, a covered entity must:
  1. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and
  2. As applicable to the entity
    1. Implement the implementation specification if reasonable and appropriate; or
    2. If implementing the implementation specification is not reasonable and appropriate:
      1. Document why it would not be reasonable and appropriate to implement the implementation specification; and
      2. Implement an equivalent alternative measure if reasonable and appropriate.
'Required
When a standard adopted in §164.308 (Administrative safeguards), §164.310 (Physical safeguards), §164.312 (Technical safeguards), §164.314 (Organizational requirements), or §164.316 (Policies and procedures and documentation requirements) includes required implementation specifications, a covered entity must implement the implementation specifications.

External References