University of Wisconsin-Madison Policy and Procedure

Similar documents
HIPAA Security Checklist

HIPAA Security Checklist

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

HIPAA Security Rule Policy Map

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

University of Wisconsin-Madison Policy and Procedure

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

HIPAA Security and Privacy Policies & Procedures

Subject: University Information Technology Resource Security Policy: OUTDATED

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Data Backup and Contingency Planning Procedure

HIPAA RISK ADVISOR SAMPLE REPORT

HIPAA Compliance Checklist

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA Controls. Powered by Auditor Mapping.

Policy. Policy Information. Purpose. Scope. Background

Healthcare Privacy and Security:

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Disaster Recovery and HIPAA Compliance

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA For Assisted Living WALA iii

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Virginia Commonwealth University School of Medicine Information Security Standard

Policies and Procedures Date: February 28, 2012

Virginia Commonwealth University School of Medicine Information Security Standard

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

HIPAA Federal Security Rule H I P A A

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Reference Architecture Assessment Report Cisco Healthcare Solution

HIPAA / HITECH Overview of Capabilities and Protected Health Information

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Introduction To IS Auditing

IT Audits at Penn. IT Orientation

Information Technology Security Plan (ITSP)

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

HIPAA Compliance. with O365 Manager Plus.

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

The Common Controls Framework BY ADOBE

HIPAA Security Manual

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Access to University Data Policy

ISO/IEC TR TECHNICAL REPORT

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA Compliance and OBS Online Backup

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

efolder White Paper: HIPAA Compliance

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

4.2 Electronic Mail Policy

Emergency Support Function (ESF) #14b: UTILITIES: Potable Water. ESF Activation Contact: Cornell Facilities Customer Service (607)

Information technology Security techniques Information security controls for the energy utility industry

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

HIPAA COMPLIANCE FOR VOYANCE

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

PECB Change Log Form

Risk Management in Electronic Banking: Concepts and Best Practices

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

This document is a preview generated by EVS

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

System Chief Business Officer - B. J. Crain The Texas A&M University System Position Description--January 13, 2010

Emergency Support Function (ESF) #17a: COMMUNICATIONS: PUBLIC. ESF Activation Contact: Cornell University Police (607)

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

Data Recovery Policy

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

This is a preview - click here to buy the full publication

Information Technology General Control Review

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Checklist: Credit Union Information Security and Privacy Policies

REPORT 2015/149 INTERNAL AUDIT DIVISION

NERC Staff Organization Chart Budget 2018

Security Audit What Why

Number: USF System Emergency Management Responsible Office: Administrative Services

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Information security management guidelines for financial services

Florida Health Information Exchange Subscription Agreement for Event Notification Service

UTAH VALLEY UNIVERSITY Policies and Procedures

HIPAA Privacy, Security and Breach Notification

Credit Card Data Compromise: Incident Response Plan

Opportunity Lives Here

Data Security and Privacy Principles IBM Cloud Services

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Standard Development Timeline

HIPAA Enforcement Training for State Attorneys General

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

The simplified guide to. HIPAA compliance

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

BACKGROUND. Student psychological services provided through the Counseling and Wellness Department.

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Select Agents and Toxins Security Plan Template

SATISFIED WITH YOUR RETURN ON IT DOLLARS SPENT?

Cell and PDAs Policy

Transcription:

Page 1 of 5 I. Policy A. The units of the UW-Madison Health Care Component and each individual or unit within UW-Madison that is a Business Associate of a covered entity (hereafter collectively referred to as units ) shall be included in an appropriate Continuity of Operations Plan (COOP) which has been suitably developed or modified to address the standards set forth by the HIPAA Security rule. B. The COOP documentation and templates provided by the University of Wisconsin Police Department do not explicitly address the specific needs of a unit that stores or processes ephi. The following components must be included in a COOP in order to meet the requirements of the HIPAA Security rule. The COOP must: 1. Establish and implement procedures to create and maintain retrievable exact copies of ephi. 2. Establish (and implement as needed) procedures to restore any loss of ephi. 3. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ephi while operating in emergency mode. 4. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. 5. Establish and implement procedures to preserve (and as needed restore) documentation needed for compliance with the HIPAA Security rule. 6. Establish and implement procedures that, to the extent practical, preserve (and as needed restore) security audit data needed for compliance with the HIPAA Security rule. 7. Establish (and implement as needed) procedures that allow facility access in support of the procedures established in items 1. to 6. above.

Page 2 of 5 8. Establish and implement procedures for periodic testing and revision of, at a minimum, those components of the COOP that involve or affect items 1. to 7. above. 9. Incorporate into the COOP procedures the assessment of the relative criticality of specific applications and data that store or process ephi. C. Responsibility for the procedures listed in I.B. is among the duties of the UW-Madison HIPAA Security Officer and the HIPAA Security Coordinator of each unit, as described in Policy # 8.2 HIPAA Security Oversight. II. III. Definitions A. Continuity of Operations Plan ( COOP ): A unit s COOP is activated if a disaster or emergency severely affects the unit. The plan ensures delivery of essential functions and guides the rebuilding of the affected unit. B. Electronic Protected Health Information ( ephi ): Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media. C. Protected Health Information ( PHI ): Health information or health care payment information, including demographic information collected from an individual, which identifies the individual or can be used to identify the individual. PHI does not include student records held by educational institutions or employment records held by employers. Procedures Each unit should already be covered by the COOP of their school, college or division, (or some other parent organizational entity within UW-Madison.) A. If the unit is already covered by a COOP, that plan should be modified in order to meet the minimum requirements for a COOP that includes within its scope a unit that stores or processes ephi, as defined in I.B. above. B. If the unit not already covered by a COOP, the unit should be included in an existing COOP, develop its own COOP, or participate in the

Page 3 of 5 development of a broader COOP that includes the unit. The instructions and templates for development of a COOP are provided by the University of Wisconsin Police Department at: http://uwpd.wisc.edu/continuity-ofoperations-plans-coop/. C. While the COOP described in A. or B. above is being modified or developed, the unit should implement an interim version of the procedures that meet the minimum requirements for a COOP that includes within its scope a unit that stores or processes ephi, as defined in I.B. above. IV. Documentation Requirements The UW-Madison HIPAA Security Officer, and the HIPAA Security Coordinator of each unit will assure that copies of the COOP or procedures are retained as described in the Documentation Requirements of Policy # 8.2 HIPAA Security Oversight. V. Forms There are no COOP forms specific to the HIPAA Security rule. Many forms and checklists are part of the COOP documentation and templates at: http://uwpd.wisc.edu/continuity-of-operations-plans-coop/. Some or all of these may be incorporated into a particular COOP. VI. References 45 CFR 164.308(a)(7)(i) (HIPAA Security Rule Contingency Plan) 45 CFR 164.308(a)(7)(ii)(A) (HIPAA Security Rule Data Backup Plan) 45 CFR 164.308(a)(7)(ii)(B) (HIPAA Security Rule Disaster Recovery Plan) 45 CFR 164.308(a)(7)(ii)(C) (HIPAA Security Rule Emergency Mode Operation Plan) 45 CFR 164.308(a)(7)(ii)(D) (HIPAA Security Rule Testing and Revision Procedures)

Page 4 of 5 45 CFR 164.308(a)(7)(ii)(E) (HIPAA Security Rule Applications and Data Criticality Analysis) 45 CFR 164.310(a)(2)(i) (HIPAA Security Rule Facility Access Controls/Contingency Operations) 45 CFR 164.312(a)(2)(ii) (HIPAA Security Rule Emergency Access Procedure) 45 CFR 164.316(a-b) (HIPAA Security Rule Documentation) Resources HIPAA Collaborative of Wisconsin Contingency Planning Whitepaper UW-Madison Police Department Continuity of Operations Plan UW-Madison IT Security Departmental IT Security Baseline VII. Related Policies Policy # 1.1 Designation of UW-Madison Health Care Component Policy # 8.1 HIPAA Security Risk Management Policy # 8.2 HIPAA Security Oversight Policy # 8.11 HIPAA Security Data Management and Backup Policy # 8.12 HIPAA Security Facilities Management The HIPAA policies listed above are located at: www.hipaa.wisc.edu. UW- Madison IT policies are at: www.cio.wisc.edu/policies/. VIII. For Further Information For further information concerning this policy, please contact the UW-Madison HIPAA Security Officer or the appropriate unit s HIPAA Security Coordinator. Contact information is available within the Contact tab at www.hipaa.wisc.edu. Reviewed By UW-Madison HIPAA Privacy Officer UW-Madison HIPAA Security Officer

Page 5 of 5 UW-Madison Office of Legal Affairs Approved By Interim HIPAA Privacy and Security Operations Committee

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback