Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Annual HIPAA System Administrators Checklist

advertisement 
Annual HIPAA System Administrators Checklist
HIPAA System Administrators* are individuals responsible for the management and oversight of
computer systems, data files, and devices that collect, store or transmit electronic protected health
information (ePHI). A “system” can be as simple as ePHI stored in an Excel spreadsheet to as complex
as databases housed on multiple servers. If you are responsible for the management, storage, and
oversight of ePHI, you are responsible for its security.
It is the responsibility of system administrators to ensure the systems they administer are secure and
ePHI is protected. To ensure that HIPAA systems are protected, administrators must understand the
roles and responsibilities of a HIPAA System Administrator, implement appropriate security controls,
annually attest that the following checklist has been completed, and attend Annual HIPAA training.
The attached checklist, in conjunction with your local administrative procedures, is designed to assist
with annual and ongoing HIPAA Security compliance. Once this checklist is completed and provided to
IT Security, it will become an official record indicating your stated level of HIPAA Security compliance. It
does not modify your existing responsibilities as a HIPAA Systems Administrator, but serves as one form
of compliance documentation. Please scan and email your completed copy to IT Security within 45 days
of issuance date by email to ITSecurity@ecu.edu.
* Special Note: A HIPAA System Administrator is the individual responsible for the administrative,
technical, and physical access to ePHI. Any ePHI residing outside of Centricity or ECU-Physicians
Electronic Health Record [EHR] (formerly known as HealthSpan) must have an identified system
administrator (Centricity and EHR administrators are already identified). System Administrators are
responsible for electronic PHI whether on a workstation, PirateDrive, database, externally-hosted
application, sponsored program, or medical device such as an ultrasound machine.
Some HIPAA System Administrators, who are responsible for only the data or the application which
processes the data, may not realize their role of as a system administrator. Some HIPAA System
Administrators share their responsibilities with an IT resource responsible for the physical system or
the operating system (OS). If you manage any ePHI, it is your responsibility to determine your level
of responsibility as opposed to the IT resource. Regardless of the IT resource’s role, it is the HIPAA
System Administrator’s responsibility to ensure the security of the ePHI which they oversee and to
notify management of non-compliance. If you are unsure of your responsibilities, email
ITSecurity@ecu.edu to setup a consult.
ITSecurity@ecu.edu
Issuance Date:
Page 1 of 4
HIPAA Systems Administrator Checklist
No.
Yes
No
N/A
Specific Requirement
1
Complete the Annual HIPAA Security Training in BlackBoard (Bb). Visit
the HIPAA Website under HIPAA Security for instructions for the BB
Annual HIPAA Security Training.
2
Complete the HIPAA Systems Administrators Training in BlackBoard (Bb).
**This training is optional** The HIPAA System Administrators Training
provides an overview on how to complete the required HIPAA
documentation templates and Risk Assessments.
3
Ensure all users who access your HIPAA system(s) are trained in HIPAA
Security Standards and follow required procedures.
4
Complete all HIPAA Procedures located in your HIPAA Piratedrive folder.
The HIPAA Procedure Templates are available in your HIPAA folder and
were assigned to you by IT Security. Email ITSecurity@ecu.edu for
questions concerning the templates or access to your folder.
5
Document and track all users who are authorized to access the HIPAA
system(s) you administer. Also document the approval process of user
access.
6
Review users’ access quarterly. Document the review of user access.
Also, update user access whenever a user’s role changes. Immediately
remove users when employment terminates or transfers.
7
Document a complete inventory of your HIPAA system components.
Review and update system inventory at least annually.
8
Document the security controls in place to safeguard the physical
security of your HIPAA System.
9
Perform an annual Risk Assessment on your HIPAA system(s).
Whenever changes occur with your HIPAA system or environment, a new
Risk Assessment must be conducted. Examples of changes are: new
equipment, software upgrades, etc. Store all assessments on the
assigned HIPAA folder for your area. Email ITSecurity@ecu.edu if
assistance is needed with access to your HIPAA folder.
10
Document a contingency plan for your HIPAA system.
ITSecurity@ecu.edu
Issuance Date:
Page 2 of 4
11
Ensure an information security review is conducted on any new HIPAA
system prior to purchase or implementation. All security concerns
discovered as a result of the security review must be addressed and
documented prior to implementation. Email ITSecurity@ecu.edu to
schedule a security review.
12
Ensure all HIPAA systems adhere to HIPAA Security requirements as
specified by ECU HIPAA Security Policies, Standards and Procedures.
13
Ensure any data hosted outside of ECU by your HIPAA system has a fully
executed ECU Business Associate Agreement. Provide completed and
signed BAA to IT Security by email @ ITSecurity@ecu.edu.
14
Ensure all data is protected by appropriate security controls such as
encryption, virus protection, updated operating systems, etc… as
required for the system and its data.
15
If you share HIPAA System Administrator’s responsibilities with ITCS or
other IT resources, document all responsibilities and parties. Ensure all
parties adhere to the requirements within this checklist. If you leave
your department, ensure your administrator’s duties are transitioned to
your replacement.
16
Report any HIPAA non-compliance immediately to your supervisor.
Report non-compliance of ITCS resources to the University Information
Security Officer @ ITSecurity@ecu.edu. If non-compliance of other IT
resources is discovered, report to the appropriate departmental
supervisor of the IT resource.
17
Inform your department head or dean of information security concerns
and risks prior to implementation or when aware (with existing systems).
If the department head or dean agree to accept residual security risks
rather than remediate, document this acceptance using the HIPAA Risk
Acceptance Document provided by IT Security. A sample Risk Acceptance
document is viewable on the HIPAA Security website. To acquire an
official copy, please submit a request by email to ITSecurity@ecu.edu.
18
Immediately report any information security incident to your supervisor
and the ITCS Helpdesk @ 328-9866 or https://ithelp.ecu.edu/.
ITSecurity@ecu.edu
Issuance Date:
Page 3 of 4
I certify that all HIPAA systems and ePHI data under my purview have been reviewed and approved, and
that ePHI is being stored, transmitted, and used in a manner consistent with the HIPAA Security
Standards and other applicable directives.
__________________________
__________________________
__________
SYSTEM ADMINISTRATOR NAME
SYSTEM ADMINISTRATOR SIGNATURE
DATE
__________________________
__________________________
__________
DEPARTMENT HEAD NAME
DEPARTMENT HEAD SIGNATURE
DATE
ITSecurity@ecu.edu
Issuance Date:
Page 4 of 4
Related documents
HIPAA Steering Committee - East Carolina University
HIPAA Steering Committee - East Carolina University
“You have the Right”
“You have the Right”
HIPAA Factsheet
HIPAA Factsheet
Presentation Slides
Presentation Slides
CONSULTANTS IN PAIN MEDICINE
CONSULTANTS IN PAIN MEDICINE
the HIPAA quiz
the HIPAA quiz
HIPAA Compliance - Practice Greenhealth
HIPAA Compliance - Practice Greenhealth
Download
advertisement