Health Information Privacy and Security Policy

Dr. Carpenter and Vina Cristobal in a clinic.
Effective November 8, 2013

I. Purpose:

The purpose of this policy is to ensure that the John A. Burns School of Medicine (JABSOM) provides appropriate mechanisms to safeguard protected health information in compliance with federal and state law and any applicable policies of the University of Hawaii, and to further ensure that the School of Medicine’s response to, and reporting of, an information security and privacy incident complies with the HIPAA Privacy and Security rules. This policy shall apply JABSOM-wide.

II. Definitions:

  1. HIPAA – The Health Insurance Portability and Accountability Act of 1996, and the related federal regulations issued pursuant to law.
  2. Individual – The person who is the subject of the protected health information.
  3. HIPAA Privacy Rule – federal regulations providing for the privacy of protected health information.
  4. HIPAA Security Rule – federal regulations protecting a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.  Specifically, covered entities must:
    1. ensure the confidentiality, integrity, and availability of all electronic protected health they create, receive, maintain or transmit;
    2. identify and protect against reasonably anticipated threats to the security or integrity of the information;
    3. protect against reasonably anticipated, impermissible uses or disclosures; and
    4. ensure compliance by their workforce.
  1. Protected Health Information (PHI) – Health information, including demographic information, transmitted or maintained by a covered entity or its business associate in any form that:
    1. relates to the past, present, or future physical or mental health condition of an individual, the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual; and
    2. identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual; and
    3. is not an educational record (as defined in the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g); and
    4. is not an employment record.
  1. Workforce* – employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

III. Policy

  1. JABSOM is committed to safeguarding any PHI in its care, and will maintain a process for defining and identifying a security incident.
  2. PHI will be used or disclosed only as permitted by JABSOM’s and/or the University of Hawaii’s policies and applicable law.
  3. All members of JABSOM’s workforce with access to PHI are personally responsible for protecting its privacy and security. This includes: employees, physicians, residents, contractors, vendors, students, and any other persons under the direct control of JABSOM, whether temporary or permanent, paid or unpaid.
  4. As applicable, each workforce member is responsible for understanding and fully complying with the HIPAA policies of the healthcare provider/facility/office where the workforce member is assigned, works, and/or provides services.
  5. A Privacy Officer and an Information Security Officer will be appointed who are responsible for the development and implementation of appropriate policies and continuing oversight of privacy and security practices
  6. To the extent applicable, access to PHI will be limited to those authorized workforce members with a valid need to know said PHI.
  7. PHI will be used solely for approved functions, never for personal or non-work related purposes.
  8. Reasonable effort will be made to confine uses and disclosures of PHI to the minimum amount necessary to accomplish the intended purpose of the use and disclosure.
  9. JABSOM will organize an Incident Response Team (IRT) primarily responsible for security and privacy incidents reporting and response.  The Incident Response Team will perform an investigation when evidence shows that a security and privacy incident has occurred and will respond promptly to the incident. JABSOM will establish a process for promptly responding to security and privacy incidents.
  10. JABSOM will establish a process for promptly reporting security or privacy incidents and a procedure for JABSOM’s workforce members to report a security or privacy incident to the appropriate management personnel.
  11. JABSOM will provide training and awareness for JABSOM workforce members, as appropriate, in its process for promptly reporting security or privacy incidents in accordance with JABSOM’s security policies. Workforce members will complete training on HIPAA and related policies and will be provided retraining at regular intervals.
  12. Appropriate technical and physical safeguards will be established to protect PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA or applicable JABSOM or University of Hawaii policies.  Appropriate safeguards will be taken for any health information that is used for educational purposes including facially de-identifying information to be used for educational purposes, appropriate use of computer passwords, and appropriate destruction of materials, when warranted.
  13. Workforce members may not use, disclose or transmit PHI for redisclosure in any manner that would violate the requirements of HIPAA.
  14. Workforce members will not transmit PHI over the Internet or any other insecure or open communication channel unless the transmission is encrypted using standards in compliance with HIPAA regulations.
  15. Workforce members will not maintain, store, or transmit electronic PHI in any format that constitutes unsecured PHI under the provisions of HIPAA.
  16. JABSOM will mitigate, to the extent feasible, any harm to individuals resulting from workforce violations of HIPAA and/or JABSOM’s privacy and security policies. Consequently, workforce members must report activities by any person that he/she suspects may compromise the privacy or security of PHI. Reports made in good faith about such activities will be held in confidence to the extent appropriate under the policies of JABSOM and the University of Hawaii, and applicable law. 
  17. Violations of HIPAA and/or applicable privacy or security policies will result in appropriate disciplinary action.

IV. Procedure

  1. Requirements for investigation of security incidents:
    1. It is the responsibility of all members of JABSOM to report any security or privacy incidents or suspected security or privacy incidents to the JABSOM Information Security Officer or designee as soon as the incident or suspected incident is discovered.
    2. The IRT will be formed by appointment from JABSOM and adequately trained. Membership shall include the JABSOM Information Security Officer and Privacy Officer, and others as deemed appropriate.
    3. The IRT is responsible for investigating and mitigating any identified security or privacy incidents or suspected incidents. This includes investigation, mitigation, breach notification if appropriate, implementation or update of security and privacy controls and reporting findings and actions taken to JABSOM executive leadership in a timely manner.
    4. IRT’s responsibilities include:
      1. Respond to all security and/or privacy incidents or suspected incidents
      2. Identify affected critical systems, policies or practices
      3. Assess damage and scope of incident
      4. Control and contain the breach/intrusion, as necessary
      5. Collect and document all evidence relating to the incident
      6. Contact additional support members as necessary for investigation of a given incident
      7. Contact and communicate with other affected entities as appropriate
      8. Confer with appropriate JABSOM and/or University of Hawaii staff/personnel to determine appropriate course of action regarding notification, if appropriate, of patients, law enforcement, insurance carriers, or other parties
      9. Provide liaison to proper criminal and legal authorities under the direction of JABSOM and/or the University of Hawaii
      10. Initiate breach notification if appropriate
      11. Consider communications issues
      12. Implement new or strengthen existing policy and security controls to prevent future incidents of a similar nature
      13. Document the investigation, mitigation, and future prevention activities


    1. All security or privacy incidents will be reported to a designated IRT member (or the IRT member on-call, as applicable) in as timely a manner as necessary to minimize damage.  The IRT member(s) will make a quick evaluation of the information available and determine whether IRT activation is warranted.
    2. At the time an incident is reported, IRT members are required to:
      1. Determine if the incident warrants further investigation/action
      2. Categorize the security or privacy incident
      3. Determine what, if any, outside workforce members/managers or outside entities should be contacted
      4. Make sure all proper procedures are followed for the investigation to reasonably ensure evidence and the nature of the incident is preserved
      5. Document the investigative steps taken and evidence gathered


    1. If warranted, provide a detailed analysis of the incident to the executive leadership of JABSOM.
    2. All reports regarding security or privacy incidents or suspected security or privacy incidents shall be retained for a minimum of six years following the conclusion of the investigation, or longer if required by state law.

    *Nothing contained herein, including use of the term “workforce” or the use of any other terms defined or used under HIPAA, shall in any way be construed as implying that the University of Hawai`i or its John A. Burns School of Medicine is a “Covered Entity” or “Business Associate”, as those terms are defined under HIPAA, and as entities/persons defined as such are regulated therein.

    Considered and Accepted by JABSOM Faculty Senate: 3/14/13
    Approved by the Executive Committee: 4/19/13
    Accepted by Dean Jerrris R. Hedges, MD, MS, MMM: 11/8/13