Educause Security Discussion mailing list archives
Re: HIPAA Network Guidelines
From: "Menne, Michael S" <michael.menne () MNSU EDU>
Date: Tue, 11 Feb 2020 18:40:22 +0000
Thank you Adam. This is very much my understanding as well. We are a hybrid entity as our entire University isn’t covered, but we have covered functions. The two triggers for us are electronic insurance billing and serving the general public. If we were serving students only, FERPA would apply to the privacy aspect, but the HIPAA Security rule would still apply. My experience is that FERPA is more restrictive per the letter of the law, but more open to interpretation as to how and who. HIPAA isn’t as restrictive, but has more guidelines/rules that define how and who PHI can be shared with. We encrypt all of our workstation regardless of function. I tend to try to apply reasonable security controls across the board rather than try to segment any one population of data. I’m not involved in all of the contractual aspects, but I know our Health Services clinic has BAAs in place and documented for all of their partners. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 mnsu.edu/cyberaware<https://mnsu.edu/cyberaware> [signature_2008603909] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Adam Menos Sent: Tuesday, February 11, 2020 12:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HIPAA Network Guidelines HIPAA is rather high level and not as deep in the weeds as for example PCI. It emphasizes what PHI is and allows organizations to take measures as they see fit to protect it (it's more flexible). It does not mandate actions like PCI does such as segmenting off networks that deal with cardholder data. Also, another unique aspect of HIPAA is breach notification. You have to make sure it gets reported within 60 days if the breach impacted 500 and over individuals. Otherwise annually. For devices that store PHI (like laptops) a good HIPAA recommendation is to ensure the laptop is encrypted in case it gets stolen (for example). And lastly the concept of BAA (Business Associates Agreement) a lot of health organizations have been fined for not having them in place with 3rd parties that have access to PHI. Short answer is No, no need to segment off networks that transmit PHI. Just ensure encryption is in place where applicable. That has been my experience with HIPAA.. Check to see if your higher ed even applies to HIPAA. It's been noted that many times they are not bound by it. https://www.thompsoncoburn.com/insights/blogs/regucation/post/2016-02-03/is-your-institution-of-higher-education-covered-by-hipaa-<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.thompsoncoburn.com%2Finsights%2Fblogs%2Fregucation%2Fpost%2F2016-02-03%2Fis-your-institution-of-higher-education-covered-by-hipaa-&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C021b26b67042405f26d608d7af1ec556%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637170419064739012&sdata=RIOWGQhQgtDOhRnSLIdnMx2sPWBj6qhYR4qfu8v1SdI%3D&reserved=0> "However, the Office of Civil Rights, the governmental agency that enforces the HIPAA Privacy Rule, has clarified that the HIPAA Privacy Rule generally does not apply to institutions of higher education. As a matter of law, the Rule applies only to “covered entities,” which includes health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions." On Tue, Feb 11, 2020 at 11:44 AM Menne, Michael S <michael.menne () mnsu edu<mailto:michael.menne () mnsu edu>> wrote: Good morning all, We are a medium sized University with three small HIPAA clinics. We have a dental clinic that serves the general public, Student Health Services that serves students and graduated students for 6 months after graduation, as well as a Speech Rehabilitation clinic that serves the general public by referral. Our network team is asking for some guidelines for protecting HIPAA data from a network standpoint. I’m not a HIPAA expert and have done the best I can to provide guidance on network segmentation. Does anyone have any network guidelines on protecting HIPAA information? Thanks, Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 mnsu.edu/cyberaware<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmnsu.edu%2Fcyberaware&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C021b26b67042405f26d608d7af1ec556%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637170419064739012&sdata=AormDpf%2BNnVYfVcEw4qgnf5ka6HlliC66IY%2Fa4PJjWs%3D&reserved=0> [signature_2008603909] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C021b26b67042405f26d608d7af1ec556%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637170419064749012&sdata=25TBfYXHNm923jdG7pTb0oZ2hUKWDTSSJ2GZmwmKomQ%3D&reserved=0> -- Adam Menos Director of Information Security 116 S Michigan Ave | Chicago, IL 60603 Office: 312.499.4031 amenos () artic edu<mailto:amenos () artic edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C021b26b67042405f26d608d7af1ec556%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637170419064749012&sdata=25TBfYXHNm923jdG7pTb0oZ2hUKWDTSSJ2GZmwmKomQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- HIPAA Network Guidelines Menne, Michael S (Feb 11)
- Re: HIPAA Network Guidelines Adam Menos (Feb 11)
- Re: HIPAA Network Guidelines Menne, Michael S (Feb 11)
- Re: HIPAA Network Guidelines Adam Menos (Feb 11)