Overview

1. Purpose

These minimum standards serve as a supplement to the Information Resources Use and Security Policy, specifically for devices that are used to work with HIPAA protected data. Adherence to the standards will increase the security of systems and help safeguard university information technology resources. These minimum standards exist in addition to all other university policies and federal and state regulations governing the protection of the university's data.

Compliance with these requirements does not imply a completely secure system. Instead, these requirements should be integrated into a comprehensive system security plan.

2. Scope

These standards apply to all devices, physical or virtual, that are used to process, view, modify, store, or otherwise interact with any data that is classified as Protected Health Information (PHI).

3. Audience

All persons with access to any computing device that falls within the scope defined in the previous section of this document.

Minimum Standards

Note that the implementation specifications provided in the Security and Privacy rules may be addressable or required. Some standards do not have any implementation specifications. These standards are just the minimum for HIPAA compliance. In some cases, additional controls may be necessary to comply with university policy. All devices must also meet the Minimum Security Standards for Systems.

Administrative Safeguards

Security Management

Standard: Security Management §164.308 (a)(1)

Implement policies and procedures to prevent, detect, contain, and correct security violations.

Security Management

Implementation Specification

Type

Reference

Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held. UT note: This assessment is required annually per university policy. The Information Security Office may be able to conduct the assessment, depending upon the size and scope of the covered environment.

Required

§164.308 (a)(1)(ii)(A)

Risk management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

These measures must, at a minimum:

  • protect against any reasonably anticipated threat or hazard to the security or integrity of such information,

  • ensure compliance by employees, and

  • protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under Subpart E of the HIPAA Privacy Rule.

Required

§164.308 (a)(1)(ii)(B)

Sanction policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures.

Required

§164.308 (a)(1)(ii)(C)

Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. UT note:Splunk might be useful for log aggregation, searching, and custom activity alerts, and is available free of charge to campus.

Required

§164.308 (a)(1)(ii)(D)

 

Assign Security Responsibility

Standard: Assign Security Responsibility §164.308 (a)(2)

Identify the security official who is responsible for the development and implementation of required policies and procedures.

Implementation Specification

Type

Reference

N/A

 

 

 

Workforce Security

Standard: Workforce Security §164.308 (a)(3)
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under §164.308 (a)(4), and to prevent those workforce members who do not have access under §164.308 (a)(4) of the HIPAA Security Rule from obtaining access to electronic protected health information.

Workforce Security

Implementation Specification

Type

Reference

Authorization and/or supervision: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Addressable

§164.308 (a)(3)(ii)(A)

Workforce clearance procedure: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Addressable

§164.308 (a)(3)(ii)(B)

Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in §164.308 (a)(3)(ii)(B).

Addressable

§164.308 (a)(3)(ii)(C)

 

Information Access Management

Standard: Information Access Management §164.308 (a)(4)

Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of Subpart E of the HIPAA Privacy Rule.

Information Access Management

Implementation Specification

Type

Reference

Access authorization: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Addressable

§164.308 (a)(4)(ii)(B)

Access establishment and modification: Implement policies and procedures that, based upon access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Addressable

§164.308 (a)(4)(ii)(C)

 

Security Awareness and Training

Standard: Security Awareness and Training §164.308 (a)(5)
Implement a security awareness and training program for all members of its workforce (including management).

Security Awareness and Training

Implementation Specification

Type

Reference

Implement a security awareness and training program that, at a minimum, covers:

  • procedures for creating, changing and safeguarding passwords;

  • periodic security updates;

  • procedures for protecting against, detecting, and reporting malicious software; and

  • procedures for monitoring login attempts and reporting discrepancies.

Addressable

§164.308 (a)(5)(ii)(A-D)

 

Security Incident Procedures

Standard: Security Incident Procedures §164.308 (a)(6)

Implement policies and procedures to address security incidents.

Security Incident Procedures

Implementation Specification

Type

Reference

Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. UT note: All incidents must be reported immediately to the Information Security Office (abuse@utexas.edu).

Required

§164.308 (a)(6)(ii)(A)

 

Contingency Plan

Standard: Contingency Plan §164.308 (a)(7)

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Contingency Plan

Implementation Specification

Type

Reference

Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. UT note: An cloud-based CrashPlan service is available to staff, faculty, and departments. When combined with a user-managed encryption key, this service can be used with HIPAA data.

Required

§164.308 (a)(7)(ii)(A)

Disaster recovery plan: Establish (and implement as needed) procedures to restore any loss of data.

Required

§164.308 (a)(7)(ii)(B)

Emergency mode operation plan: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. UT note: The Information Security Office provides a disaster recovery planning service, UT Ready, and business impact analysis templates for business continuity and disaster recovery documentation/planning.

Required

§164.308 (a)(7)(ii)(C)

Testing and revision procedures: Implement procedures for periodic testing and revision of contingency plans.

Addressable

§164.308 (a)(7)(ii)(D)

Applications and data criticality analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components. UT note: Applications and/or Vendor managed services must be registered and assessed in the Information Security Office's risk management tool (ISORA). Applications can be added to the department's application inventory in ISORA, which will then trigger an assessment to be completed by the IT support staff. Vendor managed services can be added to teh department's vendor inventory in ISORA, which will then allow the department to assign an assessment to the vendor they are working with. These must be maintained annually.

Addressable

§164.308 (a)(7)(ii)(E)

 

Evaluation

 

Standard: Evaluation §164.308 (a)(8)

Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which the security policies and procedures meet the requirements of §164.308 (a).

Evaluation

Implementation Specification

Type

Reference

N/A

 

 

 

Business Associate Contracts and Other Arrangements

 

Standard: Business Associate Contracts and Other Arrangements §164.308 (b)(1)

A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314 (a) that the business associate will appropriately safeguard the information.

Business Associate Contracts and Other Arrangements

Implementation Specification

Type

Reference

Written contract or other arrangement: Document the satisfactory assurances required through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314 (a).

Required

§164.308 (b)(4)

Physical Safeguards

Facility Access Controls

Standard: Facility Access Controls |LF||LF|§164.310 (a)|RF||RF|

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Facility Access Controls

Implementation Specification

Type

Reference

Contingency operations: Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Addressable

§164.310 (a)(2)(i)

Facility security plan: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Addressable

§164.310 (a)(2)(ii)

Access control and validation procedures: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Addressable

§164.310 (a)(2)(iii)

Maintenance records: Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

Addressable

§164.310 (a)(2)(iv)

 

Workstation Use

Standard: Workstation Use |LF||LF|§164.310 (b)|RF||RF|

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Workstation Use

Implementation Specification

Type

Reference

N/A

 

 

 

Workstation Security

Standard: Workstation Security |LF||LF|§164.310 (c)|RF||RF|

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Workstation Security

Implementation Specification

Type

Reference

N/A

 

 

 

Device and Media Controls

Standard: Device and Media Controls |LF||LF|§164.310 (d)|RF||RF|

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Device and Media Controls 

Implementation Specification

Type

Reference

Disposal: Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Required

§164.310 (d)(2)(i)

Media re-use: Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Required

§164.310 (d)(2)(ii)

Accountability: Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Addressable

§164.310 (d)(2)(iii)

Data backup and storage: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Addressable

§164.310 (d)(2)(iv)

Technical Safeguards

Access Control

Standard: Access Control |LF||LF|§164.312 (a)|RF||RF|

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

Access Control

Implementation Specification

Type

Reference

Unique user identification: Assign a unique name and/or number for identifying and tracking user identity. |LF||LF|UT note: University-issued EIDs may be used for this purpose.|RF||RF|

Required

§164.312 (a)(2)(i)

Emergency access procedure: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Required

§164.312 (a)(2)(ii)

Automatic logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Addressable

§164.312 (a)(2)(iii)

Encryption and decryption: Implement a mechanism to encrypt and decrypt electronic protected health information. |LF||LF|UT note: Only encryption methods/products listed at Approved Encryption Methods ar compliant with policy. The use of any other encryption methods/products not listed is only permissible with an approved Exception to Policy Request. All devices used to store confidential (Category I) university data must be encrypted using an approved method.|RF||RF|

Addressable

§164.312 (a)(2)(iv)

 

Audit Controls

Standard: Audit Controls |LF||LF|§164.312 (b)|RF||RF|

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Audit Controls

Implementation Specification

Type

Reference

N/A

 

 

 

Integrity

Standard: Integrity |LF||LF|§164.312 (c)|RF||RF|

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Integrity

Implementation Specification

Type

Reference

Mechanism to authenticate electronic protected health information: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Addressable

§164.312 (c)(2)

 

Person or Entity Authentication

Standard: Person or Entity Authentication |LF||LF|§164.312 (d)|RF||RF|

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Person or Entity Authentication

Implementation Specification

Type

Reference

N/A

 

 

 

Transmission Security

Standard: Transmission Security |LF||LF|§164.312 (e)|RF||RF|

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Transmission Security

Implementation Specification

Type

Reference

Integrity controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

Addressable

 

Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. |LF||LF|UT note: Section 11.5.2 of the Information Resources Use and Security Policy mandates that all confidential (Category I) university data be encrypted in transmission over a network. Exceptions are only permissible with an approved Exception to Policy Request.|RF||RF|

Required by

university policy

 

Policies and Procedures; Documentation Requirements

Policies and Procedures

Standard: Policies and Procedures |LF||LF|§164.316 (a)|RF||RF|

Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306 (b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

Policies and Procedures

Implementation Specification

Type

Reference

N/A

 

 

 

Documentation

Standard: Documentation |LF||LF|§164.316 (b)(1)|RF||RF|

(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and

(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

Documentation

Implementation Specification

Type

Reference

Time limit: Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. |LF||LF|UT note: Records should not be kept longer than is required. When no longer required, records must be destroyed or erased in a secure manner.|RF||RF|

Required

§164.316 (b)(2)(i)

Availability: Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

Required

§164.316 (b)(2)(ii)

Updates: Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

Required

§164.316 (b)(2)(iii)

 

UT Specific Policy Requirements for Category I Systems

Backups

Standard: Backups |LF||LF|MSS 4.1|RF||RF|

Backups

Implementation Specification

Type

Reference

Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores.

Required

MSS 4.1.2

 

Change Management

Standard: Change Management |LF||LF|MSS 4.2|RF||RF|

Change Management

Implementation Specification

Type

Reference

There must be a change control process for systems configuration. This process must be documented.

Required

MSS 4.2.1

System changes should be evaluated prior to being applied in a production environment.

Required

MSS 4.2.2

Patches must be tested prior to installation in the production environment if a test environment is available.

Addressable

MSS 4.2.3

 

Computer Virus Prevention

Standard: Computer Virus Prevention |LF||LF|MSS 4.3|RF||RF|

Computer Virus Prevention

Implementation Specification

Type

Reference

Anti-virus software must be installed and enabled.

Required

MSS 4.3.1

Install and enable anti-spyware software. Installing and enabling anti-spyware software is required if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine.

Addressable

MSS 4.3.2

Anti-virus and, if applicable, anti-spyware software should be configured to update signatures at least daily.

Required

MSS 4.3.3

Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software.

Required

MSS 4.3.4

 

System Hardening

Standard: System Hardening |LF||LF|MSS 4.5|RF||RF|

System Hardening

Implementation Specification

Type

Reference

Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured.

Required

MSS 4.5.1

Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures.

Required

MSS 4.5.2

If automatic notification of new patches is available, that option should be enabled.

Required

MSS 4.5.3

Services, applications, and user accounts that are not being utilized should be disabled or uninstalled.

Required

MSS 4.5.4

Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed.

Required

MSS 4.5.5

If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this.

Required

MSS 4.5.8

Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.

Required

MSS 4.5.9

The required university warning banner should be installed.

Required

MSS 4.5.10

Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control.

Required

MSS 4.5.11

Strong password requirements will be enabled. Passwords must comply with section 15.2.2.3 of the Information Resources Use and Security Policy.

Required

MSS 4.5.13

Apply the principle of least privilege to user, administrator, and system accounts.

Required

MSS 4.5.14

 

Security Monitoring

Standard: Security Monitoring |LF||LF|MSS 4.6|RF||RF|

Security Monitoring

Implementation Specification

Type

Reference

If the operating system comes with a means to log activity, enabling and testing of those controls is required.

Required

MSS 4.6.1

Operating system and service log monitoring and analysis should be performed routinely. This process should be documented. 

Required

MSS 4.6.2

The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered).

Required

MSS 4.6.3

All administrator or root access must be logged. 

Required

MSS 4.6.4

Security Review for New Software and Appliances

Departments evaluating the implementation of new software or appliances involving HIPAA protected data should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products.

Non-Compliance and Exceptions

If any of the minimum standards contained within this document cannot be met on systems manipulating HIPAA protected data, an Exception Process must be initiated that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. (See Security Exception Report.) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.

University of Texas at Austin employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Austin employees are required to comply with state laws and regulations.

Related UT Austin Policies, Procedures, Best Practices and Applicable Laws

Definitions

Health Information

Section 1171, Part C of Subtitle F, Health Insurance Portability and Accountability Act:

§160.103 of Title 45, Code of Federal Regulations:

Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

  1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Health Information

Section 1171, Part C of Subtitle F, Health Insurance Portability and Accountability Act:

§160.103 of Title 45, Code of Federal Regulations:

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
    1. That identifies the individual; or
    2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI)

§160.103 of Title 45, Code of Federal Regulations:

Protected health information means individually identifiable health information:

  1. Except as provided in paragraph (2) of this definition, that is:
    1. Transmitted by electronic media;
    2. Maintained in electronic media; or
    3. Transmitted or maintained in any other form or medium.
  2. Protected health information excludes individually identifiable health information:
    1. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
    2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
    3. In employment records held by a covered entity in its role as employer; and
    4. Regarding a person who has been deceased for more than 50 years.

'Addressable

§164.306 (d)(3), Subpart C, Health Insurance Accountability and Portability Act:

When a standard adopted in §164.308 (Administrative safeguards), §164.310 (Physical safeguards), §164.312 (Technical safeguards), §164.314 (Organizational requirements), or §164.316 (Policies and procedures and documentation requirements) includes addressable implementation specifications, a covered entity must:

  1. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and
  2. As applicable to the entity
    1. Implement the implementation specification if reasonable and appropriate; or
    2. If implementing the implementation specification is not reasonable and appropriate:
      1. Document why it would not be reasonable and appropriate to implement the implementation specification; and
      2. Implement an equivalent alternative measure if reasonable and appropriate.

'Required

§164.306 (d)(2), Subpart C, Health Insurance Accountability and Portability Act:

When a standard adopted in §164.308 (Administrative safeguards), §164.310 (Physical safeguards), §164.312 (Technical safeguards), §164.314 (Organizational requirements), or §164.316 (Policies and procedures and documentation requirements) includes required implementation specifications, a covered entity must implement the implementation specifications.