UNIVERSITY OF PITTSBURGH POLICY 07-02-06
SECTION: Confidentiality of Medical Information
SUBJECT: Security of Electronic Medical Records – Compliance with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)
EFFECTIVE DATE: March 18, 2005
This policy sets forth the framework for the University’s compliance with the Security Rule of the
federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). It is applicable
only to those units of the University that have been designated as “covered components”
under HIPAA. This policy is limited to the final HIPAA Security Rule. Other aspects of law,
including rules governing privacy and human subject research, are addressed in other
University policies. See the University’s IRB website for policies governing human subject
research, and the University’s Policies, Procedures and Handbooks web site for policies
concerning privacy and computer security.
The University recognizes that adequate and appropriate security is necessary for HIPAA’s
privacy rules to work as intended.
It is the policy of the University of Pittsburgh to comply with the Health Insurance Portability
and Accountability Act of 1996 (HIPAA). Only designated units, departments or Schools of the
University that manage
electronic protected health information (EPHI) are subject to the HIPAA
Security Rule Regulations. This policy addresses the final HIPAA Security Rule which is
effective April 21, 2005. Each covered component within the University is responsible for
adopting site-specific procedures and
controls to address this policy.
The HIPAA Security Rule requires the University to put into place appropriate administrative,
technical and physical safeguards to protect the integrity, confidentiality and availability of
health information (EPHI) that is created, received or managed by the
University’s covered components.
EPHI includes any computer data relating to the past, present or future physical or mental
health, health care treatment, or payment for health care. EPHI includes information that
can identify an individual, such as name, social security number, address, date of birth,
medical history or
medical record number, and includes such information transmitted or
maintained in electronic format, but excluding certain education and student treatment
records. Not included within EPHI are student education records, including medical records
(which are protected under the Buckley Amendment), medical records of employees
received by the University in its capacity as an employer, and workers’ compensation
records. Although these records are not covered under the HIPAA Privacy or Security
Rules, other University Policies cover the confidentiality and security of these materials.
There are special provisions in the law governing the release
of psychotherapy records.
IV. SECURITY MEASURES
The following security measures address the 18 standards of the HIPAA Security Rule that
covered components need to comply with respect to EPHI. Each covered component must
review and modify their security measures as needed to sustain the reasonable and
appropriate protection of EPHI’s confidentiality, integrity and availability.
Implementation of control solutions to address the 18 standards should be reasonable and
appropriate, taking into account:
- The size, complexity and capabilities of the covered component;
- The covered component’s technical infrastructure, hardware, and software security
- The costs of security measures; and
- The probability and criticality of potential risk to EPHI.
1. Administrative Safeguards
1.1 To address HIPAA Section 164.308(a)(1) involving Risk Analysis, all covered
components will perform a yearly risk analysis, which will provide an accurate
and thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity and availability of EPHI managed by the covered
component. This risk analysis is to be presented to the covered component’s
management, which will provide a documented response, including remediation
steps, for any identified risks. Covered components can request CSSD to
perform the risk analysis.
1.2 To address HIPAA Section 164.308(a)(1) involving Risk Management, all
covered components will implement measures to reduce computer risks and
1.2.1 Identifying and documenting potential risks and vulnerabilities that could
impact systems managing EPHI.
1.2.2 Performing annual technical security assessments of systems managing
EPHI in order to identify and remedy detected security vulnerabilities.
The documented results of these security assessments will be presented
to the covered component’s management, which will provide a
documented response, including remediation steps, for any identified
vulnerabilities. Covered components can request CSSD to perform
1.3 To address HIPAA Section 164.308(a)(1) involving Sanction Policy, covered
entities will adhere to the sanctions statement found in this policy, found under
1.4 To address HIPAA Section 164.308(a)(1) involving Information System Activity
Review, all covered components will periodically review information system
activity records—including audit logs, access reports, and security incident
tracking reports—to ensure that implemented security controls are effective and
that EPHI has not been potentially
compromised. Measures should include:
1.4.1 Enabling logging on computer systems managing EPHI.
1.4.2 Developing a process for the review of exception reports and/or logs.
1.4.3 Developing and documenting procedures for the retention of monitoring
data. Log information should be maintained for up to six years, either
locally on the server or through the use of backup tapes.
1.4.4 Periodically reviewing compliance to security policies and procedures.
The documented results of these compliance reviews should be
presented to the covered component’s management, which will provide
a documented response, including remediation steps, for any identified
lapses in compliance. Covered components can request CSSD to
perform compliance reviews.
1.5 To address HIPAA Section 164.208(a)(2) involving Assigned Security
Responsibility, each covered component will identify a security official
responsible for the adherence to this policy and to the implementation of
procedures required to protect the confidentiality, integrity and availability of
1.6 To address HIPAA Section 164.308(a)(3) involving Workforce Security, all
covered components will establish procedures that ensure only authorized
personnel have access to systems that manage EPHI. Measures that each
covered component should
1.6.1 Establishing a procedure that requires managerial approval before any
person is granted access to systems
1.6.2 Performing appropriate background checks, where appropriate, before
any person is granted access to
systems managing EPHI.
1.6.3 Limiting authorized persons’ access to EPHI to the extent that access to
this information achieves the requirements of the person’s job
1.6.4 Implementing procedures for terminating access to EPHI when the
employment of a person ends or the job responsibilities of the person no
longer warrants access to EPHI. These procedures should include
changing of locks/combinations if necessary, removal from logical and
physical access lists, account disablement, deletion of personal files,
and the return of security items (such as keys, access cards, and
1.6.5 Periodically reviewing the accounts on systems managing EPHI to
ensure that only currently authorized persons have access to these
1.7 To address HIPAA Section 164.308(a)(4) involving Information Access
Management, all covered components will establish procedures that ensure that
systems that manage EPHI have authorization controls that allow only authorized
personnel access. Measures that each covered component should address
1.7.1 Using systems—such as workstations, interfaces, applications,
processes or other computer-based mechanisms for accessing EPHI—
that provide authorization controls which can ensure appropriate access
authorized personnel’s job role.
1.7.2 Ensuring that these systems require a unique identification/
authentication mechanism with appropriate formats. Social security
numbers should not be used as an identification/authentication
1.7.3 Ensuring that these systems have password management features that
enforce the use of passwords as part of the identification/authentication
1.7.4 Ensuring that controlled privileged user accounts can be established
(e.g. system administrators who typically require higher levels of access
1.8 To address HIPAA Section 164.308(a)(5) involving Security Awareness and
Training, all covered components will undertake
1.8.1 Having the covered component’s security officer receive periodic
security updates. Covered components can request these periodic
security updates from CSSD.
1.8.2 Having all members of a covered component take the University’s
HIPAA security rule training course.
1.8.3 Ensuring procedures and logging mechanisms are in place for the
security officer to receive alerts notifying of failed log-in attempts from
unauthorized users. Users should be educated to note if unauthorized
access has been attempted (such as changed passwords and locked-
out accounts, or noticing that a different username has been entered
into a logon field).
1.9 To address HIPAA Section 164.308(a)(5) involving Password Management, all
covered components will ensure the following controls are in place for creating,
changing and safeguarding
passwords on systems managing EPHI:
1.9.1 Passwords must be at least 8 characters long, include a varied set of
characters (such as the use of numbers and
1.9.2 Passwords must not be shared.
1.9.3 Passwords must not be written down and stored in locations where
they can be found.
1.9.4 Passwords must not use any word found in any dictionary or proper
1.9.5 Passwords must be forced to change periodically, and must be changed
immediately if compromised.
1.10 To address HIPAA Section 164.308(a)(6) involving Security Incident Procedures,
all covered components must have procedures in place so that their security
official is notified when a system managing EPHI is involved in a security incident
(examples include virus or worm infection, accounts being compromised, and
servers damaged from a denial of service attack). The security official is to
University’s Technology Help Desk, which will log the
1.11 To address HIPAA Section 164.308(a)(7) involving Contingency Plan, all covered
components must have procedures in place to respond to an emergency or other
occurrence (such as fire, flood, vandalism, and unrecoverable hardware failures)
that damages systems managing EPHI. Measures that each covered component
should address include:
1.11.1 Having procedures for creating and maintaining backups of EPHI
adequate to both restore EPHI and the systems
maintaining this data.
1.11.2 Establishing procedures to restore any loss of data due to a disaster.
At a minimum, each University covered component should maintain
backup tapes at an off-site location that can be used to restore EPHI
and the systems maintaining this data. In the case of a system that
maintains EPHI that has been identified by the annual HIPAA risk
analysis as critical to business, medical or academic operations, the
covered component should have a documented and tested disaster
recovery plan for all critical server-based systems, communications,
and infrastructure items (such as e-mail, voice-mail, fax server, etc.).
This disaster recovery plan should be appropriate in scope, reflect
recent system updates, include crisis management team changes, and
include the latest results of the covered component’s disaster recovery
1.11.3 In the case of a system that maintains EPHI that has been identified by
the annual HIPAA risk analysis as critical to business, medical or
academic operations, the covered component should have an
operation plan that enables continuation of critical
process to assure access to EPHI and provide for adequate protection
of the security of EPHI while operating in emergency mode.
1.11.4 In the case of a system that maintains EPHI that has been identified by
the annual HIPAA risk analysis as critical to business, medical or
academic operations, and thereby requiring a disaster recovery plan,
the covered component should perform yearly recovery tests to ensure
the effectiveness of the plan as well as to provide training and experience
to those persons responsible for implementing a disaster recovery plan.
A recovery test should also be performed following significant changes to
systems maintaining EPHI. Results of the testing should be presented to
the covered component’s management, which will provide a documented
response, including remediation steps, for any identified deficiencies
with the disaster recovery plan. During testing, the covered component
should ensure that appropriate security measures are in place to
prevent unauthorized disclosure of EPHI.
1.12 To address HIPAA Section 164.308(a)(8) involving Evaluation, each covered
component should perform an annual review to demonstrate its compliance with
the University’s HIPAA Security Rule Policy. Results of the review are to be
presented to the covered component’s management, which will provide a
documented response, including remediation steps, for any identified gaps in
compliance with the policy. Covered components can request this evaluation to
2. Physical Safeguards
2.1 To address HIPAA Section 164.310(a)(1) involving Facility Access Controls, each
covered component will ensure that systems which manage EPHI are kept in
areas with physical security controls that restrict access (an “isolated room”).
Measures that each covered component should address include:
2.1.1 Ensuring that, at a minimum, servers and network equipment which
manage EPHI should be kept in an isolated room with controls that
prevent unauthorized access to these systems. These controls can
include entry doors that require a key or combination locks, or that
require a security token (such as magnetic strip ID card with
2.1.2 Documenting those persons who are permitted authorized access to the
2.1.3 Requiring unauthorized persons (such as vendors, contractors, and
visitors) to be escorted and monitored by an authorized person when
entering and remaining in
the isolated room.
2.1.4 Providing a log of access to the isolated room, which can be either a
written log or an electronic record from
an ID card reader).
2.1.5 Ensuring that records of facility maintenance or maintenance to systems
managing EPHI are kept, documenting who performed the maintenance,
who authorized the maintenance, and details of the maintenance
activities, including dates and times.
2.2 To address HIPAA Section 164.310(b) involving Workstation Use, each covered
component will ensure that only designated workstations possessing appropriate
security controls will be used to access and manage EPHI, and that these
workstations are not used in publicly-accessible areas nor used by multiple users
not authorized to access EPHI. This security measure extends to the use of
laptops and home machines. These workstations should have the following
security tools installed: anti-virus software with updated virus definitions, spyware
detection software with updated spyware definitions, and an automated patch
management system for operating system updates. Covered components can
request these security tools
2.3 To address HIPAA Section 164.310(c) involving Workstation Security, each
covered component will ensure that physical safeguards are in place to protect
workstations that access and manage EPHI, including: cable locks (for desktops
and for laptops), screens that are turned away from unauthorized users, and
access authorization mechanisms that require a user ID and password to access
the workstation. The workstation should also be configured with a password-
screensaver that is evoked after five minutes of inactivity.
2.4 To address HIPAA Section 164.310(d)(1) involving Device and Media Controls,
each covered component will ensure that procedures are in place to govern the
receipt and removal of hardware and electronic media that contains EPHI into and
out of a facility, and the movement of these items within the facility. Media can
include hard disks, tapes, floppy disks, CD ROMs, optical disks, and other means
of storing computer data. Measures that each covered component should
2.4.1 Disposing of media with EPHI when it is discarded or reused using means
that prevent its recovery, including erasing and overwriting media before
disposal, physically destroying the media, and preventing systems that
managed EPHI from being sold or donated before ensuring that EPHI
has been fully removed.
2.4.2 Ensuring that backups of EPHI are created before systems managing
EPHI are moved.
3. Technical Safeguards
3.1 To address HIPAA Section 164.312(a)(1) involving Access Control, each covered
component will ensure that security controls are in place to protect the integrity
and confidentiality of EPHI residing on computer systems, including applications,
databases, workstations, servers, and network equipment. Measures that each
should address include:
3.1.1 Assigning a unique name and or number of identifying and tracking user
identity on systems managing EPHI.
3.1.2 Establishing procedures for obtaining necessary EPHI during an
emergency, in which normally unauthorized personnel require access to
EPHI or the systems that
3.1.3 Configuring systems to terminate a logon session after a predetermined
time of inactivity. Mechanisms to accomplish logon session terminations
protected screen-savers, automatic logoff of the
application or network session, and the ability to manually lock out
access when leaving a workstation.
3.1.4 Encrypting EPHI that is transferred or stored on systems not controlled
by the covered component. This can include e-mails, interfaces
between applications, data stored on removable media (such as CD
ROMs and floppy
diskettes), and on files that are transferred over
networks. EPHI is not to be transferred using ftp (file transfer protocol),
which is a cleartext protocol that can allow the confidentiality and integrity
of data to
3.2 To address HIPAA Section 164.312(b) involving Audit Controls, each covered
component should have audit controls implemented that allow an independent
reviewer to review system activity. Audit logs that should be captured on systems
- User access and account activity
- Exception reports
- Dormant account reports
- System resource monitoring
- Data integrity controls
- Failed log-in reports
- Users switching user IDs during an on-line session
- Attempts to guess passwords
- Attempts to use privileges that have not been authorized
- Modifications to production application software
- Modifications to system software
- Changes to user privileges
- Changes to logging subsystems
Logs should be securely retained for a minimum of one year using an archiving
solution that allows for recovery within 24
hours upon request.
3.3 To address HIPAA Section 164.312(c)(1) involving Integrity, each covered
component should ensure that systems and applications managing EPHI have
the capability to maintain data integrity at all times. Examples of integrity
capabilities include error-correcting memory, disk storage with build-in error
detection and correction, checksums, and
3.4 To address HIPAA Section 164.312(d) involving Person or Entity Authentication,
each covered component should have controls in place that verify that a person
seeking access to EPHI is the one claimed. Access to data should be controlled
using the following acceptable authentication measures: username and password,
token-base authentication, biometrics, and challenge
and response mechanisms.
3.5 To address HIPAA Section 164.312(e)(1) involving Transmission Security, each
covered component should have controls in place that ensures that the integrity
of EPHI is maintained when in transit. Secure transmission mechanisms that
encrypt EPHI as well as confirms that data integrity has been maintained should
be used (such as cryptorouters, SSH, SSL, and the use of digital signatures).
The use of e-mail for transmitting EPHI should be avoided; if required, e-mails
with EHPI should
It shall be the responsibility of each covered component to implement procedures to meet
the requirements of HIPAA set forth in this policy. Every employee in a covered component
with access to EPHI is required to adhere to all HIPAA mandates. Violation of this policy
may result in
disciplinary action up to and including termination of employment. Under
federal law, violation of the HIPAA privacy rule may result in civil monetary penalties of up
to $250,000 per year and criminal sanctions
including fines and imprisonment.
VI. ADDITIONAL INFORMATION
For additional information about this Policy, contact the University’s HIPAA Security Officer.