ads - Information Technology Services

ITS HIPAA Policy – Protected Health Information Security Policy

Policy Title	Policy Title2
ITS HIPAA Policy – Protected Health Information Security Policy	Responsible Office

Policy Title
ITS HIPAA Policy – Protected Health Information Security Policy
Responsible Office
ITS Information Security
Policy Type
HIPAA Compliance
Policy Number
308.1
Last Revision Date
01/27/2022
The star icon (**) denotes a term in the Definitions section of this policy document.

Purpose
The Binghamton University Information Technology Services (ITS) HIPAA Protected Health Information Security Policy guides ITS functions that are subject to Health Insurance Portability and Accessibility Act of 1996 (HIPAA)** compliance requirements. This policy supplements other University and ITS policies and documents.

For example, under the University’s data confidentiality designation document (Binghamton University, 2020), individually identifiable health information - including protected health information (PHI)** and electronic PHI (ePHI)** - that is subject to HIPAA, is categorized as Restricted information. This data designation requires the greatest protection of all data types at the University.

Breaches of Restricted data are potentially reportable to state and/or federal authorities.

HIPAA Reference: §164.530 Administrative Requirements. (i)(1) Standard: Policies and Procedures.

Scope
This policy applies to all members of the ITS workforce affiliated with HIPAA-covered functions and/or any regulated health information.

Policy Statements
General Compliance
ITS employees must protect the confidentiality, integrity, and availability of health information, as required by law.

All ITS workforce members handling PHI are required to follow all applicable policies and procedures.

As required by HIPAA, a covered entity must have appropriate sanctions, and apply those sanctions, against members of its workforce who fail to comply with the policies and procedures that protect critical University data, including but not limited to, HIPAA-regulated data.