University Policies

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Alburger, Katherine A

Saved on

compared with

New Version 8

changes.mady.by.user Alburger, Katherine A

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Access - the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
  2. Breach - Breach of Section 13400 HITECH(1)(A) Breach – (is the) unauthorized acquisition, access, use, or disclosure of' PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. (B) Exceptions – Breach does not include:
    1. any unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of a CE or BA
    2. such acquisition was made under good faith and within the course and normal scope of employment or professional relationship…with CE or BA
    3. such information is not further acquired, accessed or used
    4. any inadvertent disclosure for an individual who is otherwise authorized to access PHI at a facility operated by a CE or BA
    5. any such information received as a result of such disclosure is not further acquired, accessed, etc.
    6. An EHR (electronic health record) created, gathered, managed, and consulted by authorized health care clinicians and staff.
    7. A PHR (personal health record) is managed, shared, and controlled by or primarily for the individual.
  3. Breach Notification - The Organization defines Breach Notification as does ARRA / HITECH, See Section 13402. In a CE that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured health information (as defined in subsection (h)(1)) shall, in case of Breach of such information that is discovered by the CE, notify each individual who unsecured PHI/PII or as related to FERPA has been or is reasonably believed by the CE or University to have been accessed, acquired or disclosed as the result of such Breach. 
  4. Business Associate - with respect to a covered entity, is a person who:
    1. On behalf of such covered entity, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of creating, receiving, maintains or transmits PHI on behalf of the covered entity, which:
      1. includes claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; or
      2. Any other function or activity regulated by HIPAA; or
      3. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in 45 CFR§ 164.501), management, administrative, accreditation, or financial services to or for RowanSOM and/or its units, or to or for an organized health care arrangement in which RowanSOM and/or its units participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
  5. Covered Entity - a health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. 
  6. Disclosure - the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information. 
  7. Family Educational Rights and Privacy Act (FERPA) - The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
  8. Harm Threshold Analysis- the processes by which the Organization determines whether there exists any potential for financial, reputational or other harm to the patient/individual from what has been determined to be a Breach of unsecured PHI/PII or as related to FERPA. 
  9. Individually Identifiable Health Information - information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 
  10. Law Enforcement Official - any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. 
  11. Organization - for the purposes of this policy, the term "organization" shall mean the covered entity to which the policy and breach notification apply. 
  12. Protected Health Information (PHI) - individually identifiable health information: 
    1. Except as provided in paragraph two (2) of this definition, that is: a) transmitted by electronic media; b) maintained in electronic media; or c) transmitted or maintained in any other form or medium. 
    2. Protected health information excludes individually identifiable health information in: a) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; b) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and c) Employment records held by a covered entity in its role as employer. 
  13. Unsecured Protected Health Information:
    1. Protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of the Department of Health and Human Services (HHS) in the guidance issued under section 13402(h)(2) of Pub. L.111-5 on the HHS website. HHS has issued the following guidance to protect identifiable healthcare information. http https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf
    2. Electronic PHI should be encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this standard.
    3. Valid encryption processes for data at rest (i.e. data that resides in databases, file systems and other structured storage systems) are consistent with National Institute of Standards and Technology NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
    4. Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are Federal Information Processing Standards FIPS 140-2 validated.
    5. The media on which the PHI is stored or recorded should be destroyed in the following ways:
      1. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
      2. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. 
  14. Workforce - employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. 
  15. Personal Information (PI) - an individual's first name or first initial and last name linked with any one or more of the following data elements: 1) Social Security number; 2) driver's license number or State identification card number; or 3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. 
  16. Personally Identifiable Information (PII) - Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc. 
  17. Sensitive information - Any information, the loss, misuse, or unauthorized access to or modification of which could adversely impact the interests of RowanSOM in carrying out its programs or the privacy to which individuals are entitled. It includes the following:
    1. Information that is exempt from disclosure under the New Jersey Open Public Records Act (OPRA) and the Federal Family Education Rights and Privacy Act (FERPA) such as trade secrets and commercial or financial information, information compiled for law enforcement purposes, personnel and medical files, and information contained in bank examination reports (see PL 2001, chapter 404 (c47:1A-1 – 1A-13) for further information); personal identifier such as; home address, home email address, name and DOB, unlisted phone numbers, home phone numbers, bank account numbers, social security numbers, nationality, private health information.
    2. Information under the control of RowanSOM and University contained in a Privacy Act system of record that is retrieved using an individual's name or by any other criteria that identifies an individual (see FDIC Rules and Regulations, 12 C.F.R. Part 310, for further information).
    3. PII about individuals maintained by RowanSOM and University that if released for unauthorized use may result in financial or personal damage to the individual to whom such information relates. Sensitive PII, a subset of PII, may be comprised of a single item of information (e.g., Social Security Number (SSN)) or a combination of two or more items (e.g., full name along with, financial, medical, criminal, or employment information). Sensitive PII presents the highest risk of being misused for identity theft or fraud, information about insurance assessments, resolution and receivership activities, as well as enforcement, legal, and contracting activities, as well as, information about insurance assessments, resolution and receivership activities, as well as enforcement, legal, and contracting activities. 
  18. Sensitive Electronic Information (SEI) - includes electronic information that is protected by state or federal regulations. As such, it includes Protected Health Information (PHI) as defined under HIPAA regulations, as well as information governed by Gramm-Leach-Bliley Act (GLB) and other applicable regulations.

...