Table of Contents
Overview
1. Purpose
These minimum standards serve as a supplement to the Information Resources Use and Security Policy, specifically for devices that are used to work with HIPAA protected data. Adherence to the standards will increase the security of systems and help safeguard university information technology resources. These minimum standards exist in addition to all other university policies and federal and state regulations governing the protection of the university's data.
Compliance with these requirements does not imply a completely secure system. Instead, these requirements should be integrated into a comprehensive system security plan.
2. Scope
These standards apply to all devices, physical or virtual, that are used to process, view, modify, store, or otherwise interact with any data that is classified as Protected Health Information (PHI).
3. Audience
All persons with access to any computing device that falls within the scope defined in the previous section of this document.
Minimum Standards
Note that the implementation specifications provided in the Security and Privacy rules may be addressable or required. Some standards do not have any implementation specifications. These standards are just the minimum for HIPAA compliance. In some cases, additional controls may be necessary to comply with university policy. All devices must also meet the Minimum Security Standards for Systems.
Administrative Safeguards
|
Standard: Security Management §164.308 (a)(1) Implement policies and procedures to prevent, detect, contain, and correct security violations. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held. UT note: This assessment is required annually per university policy. The Information Security Office may be able to conduct the assessment, depending upon the size and scope of the covered environment. |
Required |
§164.308 (a)(1)(ii)(A) |
|
Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. These measures must, at a minimum:
|
Required |
§164.308 (a)(1)(ii)(B) |
|
Sanction policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures. |
Required |
§164.308 (a)(1)(ii)(C) |
|
Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. UT note:Splunk might be useful for log aggregation, searching, and custom activity alerts, and is available free of charge to campus. |
Required |
§164.308 (a)(1)(ii)(D) |
|
Standard: Assign Security Responsibility §164.308 (a)(2) Identify the security official who is responsible for the development and implementation of required policies and procedures. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
N/A |
|
|
|
Standard: Workforce Security §164.308 (a)(3) |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Authorization and/or supervision: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. |
Addressable |
§164.308 (a)(3)(ii)(A) |
|
Workforce clearance procedure: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. |
Addressable |
§164.308 (a)(3)(ii)(B) |
|
Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in §164.308 (a)(3)(ii)(B). |
Addressable |
§164.308 (a)(3)(ii)(C) |
|
Standard: Information Access Management §164.308 (a)(4) Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of Subpart E of the HIPAA Privacy Rule. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Access authorization: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. |
Addressable |
§164.308 (a)(4)(ii)(B) |
|
Access establishment and modification: Implement policies and procedures that, based upon access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. |
Addressable |
§164.308 (a)(4)(ii)(C) |
|
Standard: Security Awareness and Training §164.308 (a)(5) |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Implement a security awareness and training program that, at a minimum, covers:
|
Addressable |
§164.308 (a)(5)(ii)(A-D) |
|
Standard: Security Incident Procedures §164.308 (a)(6) Implement policies and procedures to address security incidents. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. UT note: All incidents must be reported immediately to the Information Security Office (abuse@utexas.edu). |
Required |
§164.308 (a)(6)(ii)(A) |
|
Standard: Contingency Plan §164.308 (a)(7) Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. UT note: An cloud-based CrashPlan service is available to staff, faculty, and departments. When combined with a user-managed encryption key, this service can be used with HIPAA data. |
Required |
§164.308 (a)(7)(ii)(A) |
|
Disaster recovery plan: Establish (and implement as needed) procedures to restore any loss of data. |
Required |
§164.308 (a)(7)(ii)(B) |
|
Emergency mode operation plan: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. UT note: The Information Security Office provides a disaster recovery planning service, UT Ready, and business impact analysis templates for business continuity and disaster recovery documentation/planning. |
Required |
§164.308 (a)(7)(ii)(C) |
|
Testing and revision procedures: Implement procedures for periodic testing and revision of contingency plans. |
Addressable |
§164.308 (a)(7)(ii)(D) |
|
Applications and data criticality analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components. UT note: Applications and/or Vendor managed services must be registered and assessed in the Information Security Office's risk management tool (ISORA). Applications can be added to the department's application inventory in ISORA, which will then trigger an assessment to be completed by the IT support staff. Vendor managed services can be added to teh department's vendor inventory in ISORA, which will then allow the department to assign an assessment to the vendor they are working with. These must be maintained annually. |
Addressable |
§164.308 (a)(7)(ii)(E) |
|
Standard: Evaluation §164.308 (a)(8) Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which the security policies and procedures meet the requirements of §164.308 (a). |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
N/A |
|
|
|
Standard: Business Associate Contracts and Other Arrangements §164.308 (b)(1) A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314 (a) that the business associate will appropriately safeguard the information. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Written contract or other arrangement: Document the satisfactory assurances required through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314 (a). |
Required |
§164.308 (b)(4) |
Physical Safeguards
|
Standard: Facility Access Controls |LF||LF|§164.310 (a)|RF||RF| Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Contingency operations: Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. |
Addressable |
§164.310 (a)(2)(i) |
|
Facility security plan: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. |
Addressable |
§164.310 (a)(2)(ii) |
|
Access control and validation procedures: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. |
Addressable |
§164.310 (a)(2)(iii) |
|
Maintenance records: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). |
Addressable |
§164.310 (a)(2)(iv) |
|
Standard: Workstation Use |LF||LF|§164.310 (b)|RF||RF| Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
N/A |
|
|
|
Standard: Workstation Security |LF||LF|§164.310 (c)|RF||RF| Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
N/A |
|
|
|
Standard: Device and Media Controls |LF||LF|§164.310 (d)|RF||RF| Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Disposal: Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. |
Required |
§164.310 (d)(2)(i) |
|
Media re-use: Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. |
Required |
§164.310 (d)(2)(ii) |
|
Accountability: Maintain a record of the movements of hardware and electronic media and any person responsible therefore. |
Addressable |
§164.310 (d)(2)(iii) |
|
Data backup and storage: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. |
Addressable |
§164.310 (d)(2)(iv) |
Technical Safeguards
|
Standard: Access Control |LF||LF|§164.312 (a)|RF||RF| Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4). |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Unique user identification: Assign a unique name and/or number for identifying and tracking user identity. |LF||LF|UT note: University-issued EIDs may be used for this purpose.|RF||RF| |
Required |
§164.312 (a)(2)(i) |
|
Emergency access procedure: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. |
Required |
§164.312 (a)(2)(ii) |
|
Automatic logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
Addressable |
§164.312 (a)(2)(iii) |
|
Encryption and decryption: Implement a mechanism to encrypt and decrypt electronic protected health information. |LF||LF|UT note: Only encryption methods/products listed at Approved Encryption Methods ar compliant with policy. The use of any other encryption methods/products not listed is only permissible with an approved Exception to Policy Request. All devices used to store confidential (Category I) university data must be encrypted using an approved method.|RF||RF| |
Addressable |
§164.312 (a)(2)(iv) |
|
Standard: Audit Controls |LF||LF|§164.312 (b)|RF||RF| Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
N/A |
|
|
|
Standard: Integrity |LF||LF|§164.312 (c)|RF||RF| Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Mechanism to authenticate electronic protected health information: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. |
Addressable |
§164.312 (c)(2) |
|
Standard: Person or Entity Authentication |LF||LF|§164.312 (d)|RF||RF| Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
N/A |
|
|
|
Standard: Transmission Security |LF||LF|§164.312 (e)|RF||RF| Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Integrity controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. |
Addressable |
|
|
Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. |LF||LF|UT note: Section 11.5.2 of the Information Resources Use and Security Policy mandates that all confidential (Category I) university data be encrypted in transmission over a network. Exceptions are only permissible with an approved Exception to Policy Request.|RF||RF| |
Required by university policy |
|
Policies and Procedures; Documentation Requirements
|
Standard: Policies and Procedures |LF||LF|§164.316 (a)|RF||RF| Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306 (b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
N/A |
|
|
|
Standard: Documentation |LF||LF|§164.316 (b)(1)|RF||RF| (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Time limit: Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. |LF||LF|UT note: Records should not be kept longer than is required. When no longer required, records must be destroyed or erased in a secure manner.|RF||RF| |
Required |
§164.316 (b)(2)(i) |
|
Availability: Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. |
Required |
§164.316 (b)(2)(ii) |
|
Updates: Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. |
Required |
§164.316 (b)(2)(iii) |
UT Specific Policy Requirements for Category I Systems
|
Standard: Backups |LF||LF|MSS 4.1|RF||RF| |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores. |
Required |
MSS 4.1.2 |
|
Standard: Change Management |LF||LF|MSS 4.2|RF||RF| |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
There must be a change control process for systems configuration. This process must be documented. |
Required |
MSS 4.2.1 |
|
System changes should be evaluated prior to being applied in a production environment. |
Required |
MSS 4.2.2 |
|
Patches must be tested prior to installation in the production environment if a test environment is available. |
Addressable |
MSS 4.2.3 |
|
Standard: Computer Virus Prevention |LF||LF|MSS 4.3|RF||RF| |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Anti-virus software must be installed and enabled. |
Required |
MSS 4.3.1 |
|
Install and enable anti-spyware software. Installing and enabling anti-spyware software is required if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. |
Addressable |
MSS 4.3.2 |
|
Anti-virus and, if applicable, anti-spyware software should be configured to update signatures at least daily. |
Required |
MSS 4.3.3 |
|
Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software. |
Required |
MSS 4.3.4 |
|
Standard: System Hardening |LF||LF|MSS 4.5|RF||RF| |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured. |
Required |
MSS 4.5.1 |
|
Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures. |
Required |
MSS 4.5.2 |
|
If automatic notification of new patches is available, that option should be enabled. |
Required |
MSS 4.5.3 |
|
Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. |
Required |
MSS 4.5.4 |
|
Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed. |
Required |
MSS 4.5.5 |
|
If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this. |
Required |
MSS 4.5.8 |
|
Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested. |
Required |
MSS 4.5.9 |
|
The required university warning banner should be installed. |
Required |
MSS 4.5.10 |
|
Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control. |
Required |
MSS 4.5.11 |
|
Strong password requirements will be enabled. Passwords must comply with section 15.2.2.3 of the Information Resources Use and Security Policy. |
Required |
MSS 4.5.13 |
|
Apply the principle of least privilege to user, administrator, and system accounts. |
Required |
MSS 4.5.14 |
|
Standard: Security Monitoring |LF||LF|MSS 4.6|RF||RF| |
|
Implementation Specification |
Type |
Reference |
|---|---|---|
|
If the operating system comes with a means to log activity, enabling and testing of those controls is required. |
Required |
MSS 4.6.1 |
|
Operating system and service log monitoring and analysis should be performed routinely. This process should be documented. |
Required |
MSS 4.6.2 |
|
The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered). |
Required |
MSS 4.6.3 |
|
All administrator or root access must be logged. |
Required |
MSS 4.6.4 |
Security Review for New Software and Appliances
Departments evaluating the implementation of new software or appliances involving HIPAA protected data should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products.
Non-Compliance and Exceptions
If any of the minimum standards contained within this document cannot be met on systems manipulating HIPAA protected data, an Exception Process must be initiated that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. (See Security Exception Report.) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.
University of Texas at Austin employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Austin employees are required to comply with state laws and regulations.
Related UT Austin Policies, Procedures, Best Practices and Applicable Laws
The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)
Information Resources Use and Security Policy (IRUSP)
UT Austin Acceptable Use Policy (AUP)
UT Austin Minimum Security Standards for Systems
UT Austin Data Classification Standard
UT Austin Information Security Exception Process
The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA)
The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA)
Definitions
Section 1171, Part C of Subtitle F, Health Insurance Portability and Accountability Act:
§160.103 of Title 45, Code of Federal Regulations:
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Section 1171, Part C of Subtitle F, Health Insurance Portability and Accountability Act:
§160.103 of Title 45, Code of Federal Regulations:
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
§160.103 of Title 45, Code of Federal Regulations:
Protected health information means individually identifiable health information:
- Except as provided in paragraph (2) of this definition, that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
- Protected health information excludes individually identifiable health information:
- In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
- In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
- In employment records held by a covered entity in its role as employer; and
- Regarding a person who has been deceased for more than 50 years.
§164.306 (d)(3), Subpart C, Health Insurance Accountability and Portability Act:
When a standard adopted in §164.308 (Administrative safeguards), §164.310 (Physical safeguards), §164.312 (Technical safeguards), §164.314 (Organizational requirements), or §164.316 (Policies and procedures and documentation requirements) includes addressable implementation specifications, a covered entity must:
- Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and
- As applicable to the entity
- Implement the implementation specification if reasonable and appropriate; or
- If implementing the implementation specification is not reasonable and appropriate:
- Document why it would not be reasonable and appropriate to implement the implementation specification; and
- Implement an equivalent alternative measure if reasonable and appropriate.
§164.306 (d)(2), Subpart C, Health Insurance Accountability and Portability Act:
When a standard adopted in §164.308 (Administrative safeguards), §164.310 (Physical safeguards), §164.312 (Technical safeguards), §164.314 (Organizational requirements), or §164.316 (Policies and procedures and documentation requirements) includes required implementation specifications, a covered entity must implement the implementation specifications.