Differences

This shows you the differences between two versions of the page.

--- policy:data_privacy:privacy_and_security [2019/03/29 19:46] – tonyromero
+++ policy:data_privacy:privacy_and_security [2019/05/20 17:22] (current) – old revision restored (2019/03/29 20:05) tonyromero
@@ Line 13: / Line 13: @@
 ----
-===== University of Colorado IT Security Program Policy =====
+===== Applicable University-wide policies related the Data Privacy and Policies =====
-The SEHD and its employees are subject to University of Colorado's IT Secuirty Program policy (APS-6005 [[https://www.cu.edu/ope/aps/6005|APS-6005]]).
+==== University of Colorado IT Security Program Policy ====
-==== The goals of the University IT Security are as follows: ====
+All data and information resources of the SEHD are subject to University of Colorado's IT Secuirty Program policy, [[https://www.cu.edu/ope/aps/6005|APS-6005]].
+=== The goals of the University IT Security policy are as follows: ===
   - All members of the University community are aware of and are sufficiently trained to carry out their responsibilities for protecting University Infromation and IT Resources.
@@ Line 25: / Line 27: @@
   - IT security incidents are promptly detected and responded to in a manner that limits the impact to the security of University information and the operations of the University.
-Please proceed to APS-6005 to learn how the university meets these goals.
+Please proceed to [[https://www.cu.edu/ope/aps/6005|APS-6005]] to learn how the university meets these goals.
+==== University of Colorado Denver Security Management HIPPA Policy ====
+As applicable, the most secure SEHD data are subject to the UCD Security Management HIPPA policy, [[http://www.ucdenver.edu/research/Research Administration Documents/9.1-Security_Management.2018-02-21.POLICY.FINAL.pdf|HIPPA Policy 9.1]].
+=== Purpose of the UCD Security Management HIPPA policy: ===
+This security policy outlines minimum standards for ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI) received, maintained or transmitted by all UNIVERSITY HIPAA Covered Components (outlined in APS #5055 – HIPAA Hybrid Entity Designation), as well as other offices which support these entities (listed below as "Support Services"). Covered Components shall meet or exceed these standards by implementing the necessary administrative, physical and technical safeguards as appropriate based on their assessments of risk. Compliance with these standards by the offices which support the Covered Components is limited to their activities that directly involve creation or receipt of ePHI in support of Covered Components and not activities related to services provided to non-covered areas of the university
+=== Applicability of the UCD Security Management HIPPA policy ===
+While application of this policy to any sensitive data is considered "best practice" and should be considered by all areas of the UNIVERSITY when storing or transmitting such information, it is only mandated for those areas the UNIVERSITY has designated as HIPAA "Covered Health Care Components" (Covered Components). In addition to the Covered Components, offices that support such covered activities carried out by the Covered Components must also do so according to this policy. Certain data is specifically excluded from coverage under HIPAA, most importantly: (1) student records, except for student patient data (Family Educational Rights and Privacy Act (FERPA)) ; (2) employment records, except for health benefits records; and (3) information "de-identified" under HIPAA standards.