HIPAA and
Sensitive Data Management
Click on the icon to view the file in Word or Acrobat.
| Contingency Plan Procedures |
|
|
| Data Integrity and Validation Procedures |
|
|
| Device and Media Controls Procedures |
|
|
| Electronic Records Access Control Policy |
|
|
| Facility Access Controls |
|
|
| Information Access Procedures |
|
|
| Password Management Procedures |
|
|
| Proper Internet Use Policy and Procedures |
|
|
| Security Management Procedures |
|
|
| Unscheduled Outage Process |
|
|
| Security Incident Response and Reporting |
|
|
| Security Awareness and Training |
|
|
| System Access Control Procedures |
|
|
| System Audit Control Procedures |
|
|
| Transmission Security Procedures |
|
|
| Workforce Security Procedures |
|
|
| Workstation Use Procedures |
|
|
Click on the icon to view the file in Word or Acrobat.
| Account Creation Form (writable PDF)
|
|
|
| Account Termination Form (writable PDF)
|
|
|
| Access to Sensitive Data Form (writable
PDF) |
|
|
| Access with or without Consent Form |
|
|
| March 4, 2005 Presentation |
|
 |
| March 30, 2005 Presentation |
Web |
|
| 650-16 Information Security and Confidentiality |
|
|
| Incident Response Process for Hacked/Compromised Computers |
|
 |
| Medical Center and ITS Unscheduled Outage Process |
|
|
| Medical Center and ITS Unscheduled Outage Flowchart |
|
|
| UCSF Lost or Stolen Mobile Device or Media Flowchart |
|
|
| Recommendations for Securing Your Mobile Device(s) or Home Computer |
|
|
| Campus HIPAA Website |
|
|
| Departmental HIPAA Security Compliance Website |
|
|
| HIPAA Handbook |
|
|
| HIPAA and Human Research |
|
|
Research-related
Health Information (RHI)
The University of California's HIPAA Task Force has coined the
term "Research-related Health Information" (RHI) to clarify
the types of data used in research that would be person-identifiable but
would not be considered PHI. more...
Protected or Personal Health Information (PHI)
Protected or personal health information (PHI) is any information in the
medical record or designated record set that can be used to identify an
individual and that was created, used, or disclosed in the course of providing
a health care service such as diagnosis or treatment. Research records
of patient care must also be protected. If health related information
is de-identified, it is not PHI and may be shared without restriction.
De-identification means the removal of all personal identifiers. If any
of these personal identifiers are associated with health information then
they become PHI:
| ·Names
·Dates
·Postal Addresses
·Phone Numbers
·Fax Numbers
·Email addresses
·Social Security Numbers
·Medical Record Number
·Health Plan Number |
·Account Numbers
·License/ Certificate Numbers
·Vehicle ID Numbers
·Device Identifiers
·Web URLs
·IP Address Numbers
·Biometric Identifiers
·Photos/comparable images
·Any other unique identifier |
electronic Protected Health Information (ePHI)
If PHI is created, received, maintained, or transmitted electronically,
it becomes ePHI. HIPAA security regulations require that all electronic
protected health information (ePHI) have adequate security protections
and that the university maintain documentation of risk assessment, monitoring,
and other security parameters for PHI stored electronically (45 CFR Part
164).
|
