CIRG HIPAA Compliance Policies

last revised 2020-06-24 (version 20.1)

HIPAA compliance has two primary elements. The first includes technical guidelines, both physical and digital. Compliance requires taking measures to secure hardware and manage software to address a set of requirements. Encryption, logging, and monitoring are just a few examples of HIPAA technical requirements. CIRG builds its systems with these guidelines in mind.

The second element of HIPAA is focused on administrative and organizational activities. This includes signing Business Associate Agreements (BAAs), and managing company policies like training, among other things. Crafting policies that align with HIPAA administrative guidelines are straightforward, but maintaining the documentation is significant task.

Who is behind this?

The Clinical Informatics Research Group at the University of Washington

CIRG designs, develops, builds, and operates information systems that securely manage health information for projects in the Clinical, Public Health, and Global Health Informatics domains.

Our collaborators are based at the University of Washington, in national and state governments, and at health care and research organizations across the US and around the world. Our team is lead by Dr. Bill Lober, whose background is in emergency medicine and computer engineering, and our staff consists of software developers, system programmers, experts in interaction design/usability and health data system operations, and both graduate and undergraduate students.

Contact us:

Bill Lober, MD MS, Prinicpal Investigator, lober@uw.edu +1.206.616.6685

Justin McReynolds, MS, Technical Program Manager, mejustin@uw.edu

History

CIRG has developed, updated, and periodically reviewed documented security policies since 2008. In 2013 those policies underwent signficant revision to reflect changes in the UW Medicine ITS security policies, and incorporate certain of those policies by reference. In early 2014 we extended our policies to reference specific HIPAA controls for adminstrative, physical and technical safeguards. In mid 2017 we adapted this new framework for segmenting, updating, tracking and documenting review of our policies.

(We are grateful for the work of Datica Health, Inc - formerly Catalyze.io - both in creating a useful policy framework, and in making that framework available on github for reuse. We have used their policy framework as the basis for a reorganization of our own CIRG security policies, as well as for the idea of maintaining those policies on github.)

Policy Index

Each policy element is listed below as a separate section.

• Introduction
• HIPAA Inheritance
• Policy Management Policy
• Risk Management Policy
• Roles Policy
• Data Management Policy
• System Access Policy
• Auditing Policy
• Configuration Management Policy
• Facility Access Policy
• Incident Response Policy
• Breach Policy
• Disaster Recovery Policy
• Disposable Media Policy
• IDS Policy
• Vulnerability Scanning Policy
• Data Integrity Policy
• Data Retention Policy
• Employees Policy
• Approved Tools Policy
• 3rd Party Policy
• Key Definitions
• HIPAA Business Associate Agreement (“BAA”)
• HIPAA Mappings to CIRG Controls

The latest version of this document, as a navigable web site, is at https://uwcirg.github.io/hipaa-policies

A recent version of the full policies as a downloadable PDF can be found at https://tiny.cc/cirgHIPAApolicies