Annual HIPAA System Administrators Checklist HIPAA System Administrators* are individuals responsible for the management and oversight of computer systems, data files, and devices that collect, store or transmit electronic protected health information (ePHI). A “system” can be as simple as ePHI stored in an Excel spreadsheet to as complex as databases housed on multiple servers. If you are responsible for the management, storage, and oversight of ePHI, you are responsible for its security. It is the responsibility of system administrators to ensure the systems they administer are secure and ePHI is protected. To ensure that HIPAA systems are protected, administrators must understand the roles and responsibilities of a HIPAA System Administrator, implement appropriate security controls, annually attest that the following checklist has been completed, and attend Annual HIPAA training. The attached checklist, in conjunction with your local administrative procedures, is designed to assist with annual and ongoing HIPAA Security compliance. Once this checklist is completed and provided to IT Security, it will become an official record indicating your stated level of HIPAA Security compliance. It does not modify your existing responsibilities as a HIPAA Systems Administrator, but serves as one form of compliance documentation. Please scan and email your completed copy to IT Security within 45 days of issuance date by email to ITSecurity@ecu.edu. * Special Note: A HIPAA System Administrator is the individual responsible for the administrative, technical, and physical access to ePHI. Any ePHI residing outside of Centricity or ECU-Physicians Electronic Health Record [EHR] (formerly known as HealthSpan) must have an identified system administrator (Centricity and EHR administrators are already identified). System Administrators are responsible for electronic PHI whether on a workstation, PirateDrive, database, externally-hosted application, sponsored program, or medical device such as an ultrasound machine. Some HIPAA System Administrators, who are responsible for only the data or the application which processes the data, may not realize their role of as a system administrator. Some HIPAA System Administrators share their responsibilities with an IT resource responsible for the physical system or the operating system (OS). If you manage any ePHI, it is your responsibility to determine your level of responsibility as opposed to the IT resource. Regardless of the IT resource’s role, it is the HIPAA System Administrator’s responsibility to ensure the security of the ePHI which they oversee and to notify management of non-compliance. If you are unsure of your responsibilities, email ITSecurity@ecu.edu to setup a consult. ITSecurity@ecu.edu Issuance Date: Page 1 of 4 HIPAA Systems Administrator Checklist No. Yes No N/A Specific Requirement 1 Complete the Annual HIPAA Security Training in BlackBoard (Bb). Visit the HIPAA Website under HIPAA Security for instructions for the BB Annual HIPAA Security Training. 2 Complete the HIPAA Systems Administrators Training in BlackBoard (Bb). **This training is optional** The HIPAA System Administrators Training provides an overview on how to complete the required HIPAA documentation templates and Risk Assessments. 3 Ensure all users who access your HIPAA system(s) are trained in HIPAA Security Standards and follow required procedures. 4 Complete all HIPAA Procedures located in your HIPAA Piratedrive folder. The HIPAA Procedure Templates are available in your HIPAA folder and were assigned to you by IT Security. Email ITSecurity@ecu.edu for questions concerning the templates or access to your folder. 5 Document and track all users who are authorized to access the HIPAA system(s) you administer. Also document the approval process of user access. 6 Review users’ access quarterly. Document the review of user access. Also, update user access whenever a user’s role changes. Immediately remove users when employment terminates or transfers. 7 Document a complete inventory of your HIPAA system components. Review and update system inventory at least annually. 8 Document the security controls in place to safeguard the physical security of your HIPAA System. 9 Perform an annual Risk Assessment on your HIPAA system(s). Whenever changes occur with your HIPAA system or environment, a new Risk Assessment must be conducted. Examples of changes are: new equipment, software upgrades, etc. Store all assessments on the assigned HIPAA folder for your area. Email ITSecurity@ecu.edu if assistance is needed with access to your HIPAA folder. 10 Document a contingency plan for your HIPAA system. ITSecurity@ecu.edu Issuance Date: Page 2 of 4 11 Ensure an information security review is conducted on any new HIPAA system prior to purchase or implementation. All security concerns discovered as a result of the security review must be addressed and documented prior to implementation. Email ITSecurity@ecu.edu to schedule a security review. 12 Ensure all HIPAA systems adhere to HIPAA Security requirements as specified by ECU HIPAA Security Policies, Standards and Procedures. 13 Ensure any data hosted outside of ECU by your HIPAA system has a fully executed ECU Business Associate Agreement. Provide completed and signed BAA to IT Security by email @ ITSecurity@ecu.edu. 14 Ensure all data is protected by appropriate security controls such as encryption, virus protection, updated operating systems, etc… as required for the system and its data. 15 If you share HIPAA System Administrator’s responsibilities with ITCS or other IT resources, document all responsibilities and parties. Ensure all parties adhere to the requirements within this checklist. If you leave your department, ensure your administrator’s duties are transitioned to your replacement. 16 Report any HIPAA non-compliance immediately to your supervisor. Report non-compliance of ITCS resources to the University Information Security Officer @ ITSecurity@ecu.edu. If non-compliance of other IT resources is discovered, report to the appropriate departmental supervisor of the IT resource. 17 Inform your department head or dean of information security concerns and risks prior to implementation or when aware (with existing systems). If the department head or dean agree to accept residual security risks rather than remediate, document this acceptance using the HIPAA Risk Acceptance Document provided by IT Security. A sample Risk Acceptance document is viewable on the HIPAA Security website. To acquire an official copy, please submit a request by email to ITSecurity@ecu.edu. 18 Immediately report any information security incident to your supervisor and the ITCS Helpdesk @ 328-9866 or https://ithelp.ecu.edu/. ITSecurity@ecu.edu Issuance Date: Page 3 of 4 I certify that all HIPAA systems and ePHI data under my purview have been reviewed and approved, and that ePHI is being stored, transmitted, and used in a manner consistent with the HIPAA Security Standards and other applicable directives. __________________________ __________________________ __________ SYSTEM ADMINISTRATOR NAME SYSTEM ADMINISTRATOR SIGNATURE DATE __________________________ __________________________ __________ DEPARTMENT HEAD NAME DEPARTMENT HEAD SIGNATURE DATE ITSecurity@ecu.edu Issuance Date: Page 4 of 4