This is an old revision of the document!
Data Privacy Policies
Privacy and Security Policies and Procedures
APS-6005 https://www.cu.edu/ope/aps/6005
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Identification of a Privacy and Security Board and Officer Server/OIT
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Management Oversight of Privacy and Security Programs Server/OIT
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Sanctions for Violations of Policies and Procedures User/SEHD Server/OIT
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
APS-6005 https://www.cu.edu/ope/aps/6005
Reporting Potential Problems in Privacy and Security User/SEHD Server/OIT
APS-6005 https://www.cu.edu/ope/aps/6005
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Incident Response and Incident Response Mitigation User/SEHD Server/OIT-same as #5
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
See attached Incident Response Process Flow Diagram for unit/department responsibility.
Privacy and Security Training User/SEHD
Access Control, Minimum Necessary Access and Verification for Access to Data User/SEHD Database Server/OIT
APS-6005 https://www.cu.edu/ope/aps/6005
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
APS-6001 https://www.cu.edu/ope/aps/6001
Password Management User/SEHD Database Server/OIT – complying with university policy
University Password Policy http://www.ucdenver.edu/faculty_staff/employees/policies/Policies%20Library/Admin/fp5-13.pdf
Transmitting Sensitive Information Securely including Faxing and Email User/SEHD—duplicative with #1
Email and Webmail Stay Secure https://www1.ucdenver.edu/offices/office-of-information-technology/software/how-do-i-use/email-and-webmail
HIPAA Policy 7.1 Safeguards https://www1.ucdenver.edu/docs/default-source/offices-oit-documents/it-related-policies/hipaa-7-1-safeguards.pdf?sfvrsn=48bb7b8_6
Log-in Monitoring Database Server/OIT
Needs to be implemented and documented
OIT has an internal standard for logging, monitoring and auditing that applies to all servers managed by CU Denver OIT.
HIPAA Policy 9.3 Auditing http://www.ucdenver.edu/research/Research%20Administration%20Documents/9.3%20Auditing.pdf
Workstation Security Configuration User/SEHD, Server/OIT – duplicative with #1
APS-6005 https://www.cu.edu/ope/aps/6005
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Device and Media Control Database Server/OIT – duplicative with #1
APS-6005 https://www.cu.edu/ope/aps/6005
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Securing Materials with Data User/SEHD-duplicative with #1
Security and Compliance Hard Drive Disposal https://www1.ucdenver.edu/docs/default-source/offices-oit-documents/it-related-policies/hipaa-7-1-safeguards.pdf?sfvrsn=48bb7b8_6
Encryption Database Server/OIT
Encrypt Your Laptop Guidance https://www1.ucdenver.edu/offices/office-of-information-technology/software/secure-campus/encryption
Guide to Secure Devices https://www1.ucdenver.edu/offices/office-of-information-technology/software/secure-campus/guide-to-secure-devices
APS-6005 https://www.cu.edu/ope/aps/6005
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Authorizations for Personal Health Information, if applicable User/SEHD –NA
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Permitted Uses and Disclosures of PHI, if applicable User/SEHD—NA
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
HIPAA Status, if applicable Server/OIT
UC Denver’s File servers are HIPAA compliant.
Units/Departments can request assistance from the RAC team on the security of data usage. https://www1.ucdenver.edu/offices/office-of-information-technology/services/security-and-compliance
Business Associate Status, if applicable
NA
Designating Sensitive Information User/SEHD – may be duplicative
University Data Classifications and Impact https://www.cu.edu/ois/data-classifications-impact
Risk Assessments and Management User/SEHD – duplicative
University HIPAA Policy http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx
Change Control Procedures User/SEHD – user access/retiring users
OIT is also working on a process flow diagram to guide units/departments on their role in this process and how the OIT CAB process fits into the process.
Audit and Evaluation Procedures User/SEHD Server/OIT – designated liaison and form for auditors
Units/Departments can request assistance from the RAC team on the security of data usage, but we are not auditors, nor do we have a specific form.