University Policies

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Rowan, James J.

Saved on

compared with

New Version 8

changes.mady.by.user Unknown User (kanchia1)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

ROWAN UNIVERSITY POLICY

...

 

Title: Mobile Computing and Removable Media Policy

Subject: Information Security
Policy No: ISO: 2013:02
Applies: University-wide
Issuing Authority: Vice President for Information Resources and Chief Information Officer

Responsible Officer: Chief Information Security Officer  

Date Adopted: 07-01-2013

Last Revision: 09-24-2014

Last Review: 09-24-2014

 

I.      PURPOSE

To establish the requirements for the physical and technical protection and access control of Mobile Computing Devices and Removable Media that connect to the University's information systems.

...

M.  Treatment, Payment, and Health Care Operations (TPO) – The core health care activities of "Treatment," "Payment," and "Health Care Operations" are defined in the Privacy Rule at 45 CFR 164.501.

    1. "Treatment" generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
    2. "Payment" encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care 
    1. "Health care operations" are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of "health care operations" at 45 CFR 164.501, include:
      1. Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;
      2. Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
      3. Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims;
      4. Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; < Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
      5. Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de- identified health information or a limited data set, and fundraising for the benefit of the covered entity.

 

V.    REFERENCES

 Federal Information Security Management Act (FISMA) {+}http://csrc.nist.gov/drivers/documents/FISMA-final.pdf+

...

A.  All members of the University community have a responsibility to protect the Confidentiality, Integrity, and Availability of University information collected, processed, transmitted, stored, or transmitted on mobile computing devices and removable media.

    1. "Confidentiality" – the expectation that only authorized individuals, processes, and systems will have access to ROWAN's information.
    2. "Integrity" – the expectation that ROWAN's information will be protected from intentional, unauthorized, or accidental changes.
    3. "Availability" – the expectation that information is accessible by ROWAN when needed.

B..Because the use of such devices and media presents an information security risk to the University, each business unit must establish departmental procedures governing their use, including whether the use of personal devices and media are permitted for the conduct of sound University business.

...