HIPAA Security Overview and Control Families
The Security Rule standards are divided into the following categories:
- Administrative safeguards, which cover the policies, procedures and processes needed to protect ePHI, and the assignment or delegation of responsibility in meeting the standards.
- Physical safeguards, which cover mechanisms to protect electronic systems, equipment, and data from environmental hazards and unauthorized intrusion.
- Technical safeguards, which are processes used to protect data and control access to data such as authentication controls or encryption.
The HIPAA Security Program organizes these safeguards into and overview and 12 control families. Clicking on the tiles below will take you to a box folder containing information on the requirements, standards checklists, and a procedure template.
Processes and procedures of the HIPAA Security Program including the phase 1 and phase 2 risk assessments, Joint Security and Privacy Review, SecureBox, ResearchDrive for ePHI and other program information.
Processes and procedures for recording, monitoring, and examining activities within information systems to ensure the confidentiality, integrity, and availability of IT assets.
Processes and procedures for ensuring organizational assets are inventoried, documented, maintained, and disposed of properly.
Processes and procedures for identifying and managing organizational missions, objectives, stakeholders, and Human Resources.
Processes and procedures for secretly encoding data and managing encryption keys.
Processes and procedures necessary to authenticate and authorize users.
Processes and procedures for ensuring timely response to detected cybersecurity events.
Processes and procedures for identifying, assessing, and controlling threats while maintaining compliance.
Processes and procedures for providing and validating security education, training, and awareness.
UW–Madison Principle Investigators (PI) should request a Joint Security and Privacy Review to evaluate their proposal to process or disclose Protected Health Information (PHI). Use cases include IRB research, educational activities, projects involving another entity receiving UW PHI, or projects receiving PHI from another entity for a reason other than treatment.
In order for the UW–Madison Enterprise Box Service to be used in a way that is HIPAA compliant, additional controls must be added. A process has been developed that includes the steps that need to be taken before a folder in Box may contain PHI.