Re: HIPAA Network Guidelines

[Adam Menos <amenos () ARTIC EDU>]

HIPAA is rather high level and not as deep in the weeds as for example PCI.
It emphasizes what PHI is and allows organizations to take measures as they
see fit to protect it (it's more flexible).
It does not mandate actions like PCI does such as segmenting off networks
that deal with cardholder data.
Also, another unique aspect of HIPAA is breach notification. You have to
make sure it gets reported within 60 days if the breach impacted 500 and
over individuals. Otherwise annually.
For devices that store PHI (like laptops) a good HIPAA recommendation is to
ensure the laptop is encrypted in case it gets stolen (for example).
And lastly the concept of BAA (Business Associates Agreement) a lot of
health organizations have been fined for not having them in place with 3rd
parties that have access to PHI.
Short answer is No, no need to segment off networks that transmit PHI. Just
ensure encryption is in place where applicable. That has been my experience
with HIPAA..

Check to see if your higher ed even applies to HIPAA. It's been noted that
many times they are not bound by it.

https://www.thompsoncoburn.com/insights/blogs/regucation/post/2016-02-03/is-your-institution-of-higher-education-covered-by-hipaa-

"*However, the Office of Civil Rights, the governmental agency that
enforces the HIPAA Privacy Rule, has clarified that the HIPAA Privacy Rule
generally does not apply to institutions of higher education.* As a matter
of law, the Rule applies only to “covered entities,” which includes health
plans, health care clearinghouses, and health care providers that transmit
health information in electronic form in connection with covered
transactions."

On Tue, Feb 11, 2020 at 11:44 AM Menne, Michael S <michael.menne () mnsu edu>
wrote:

> Good morning all,
>
> We are a medium sized University with three small HIPAA clinics. We have a
> dental clinic that serves the general public, Student Health Services that
> serves  students and graduated students for 6 months after graduation, as
> well as a Speech Rehabilitation clinic that serves the general public by
> referral.
>
>
>
> Our network team is asking for some guidelines for protecting HIPAA data
> from a network standpoint. I’m not a HIPAA expert and have done the best I
> can to provide guidance on network segmentation.  Does anyone have any
> network guidelines on protecting HIPAA information?
>
>
>
> Thanks,
>
>
>
> *Michael Menne, CISSP*
>
> *Chief Information Security Officer*
>
> *IT Solutions Information Security*
>
> *Minnesota State University, Mankato*
>
> *Phone:  (507) 389-5705*
>
> *mnsu.edu/cyberaware <https://mnsu.edu/cyberaware>*
>
>
>
> [image: signature_2008603909]
>
>
>
> *Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information.  Any unauthorized review, use,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.*
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 

Adam Menos
Director of Information Security
116 S Michigan Ave | Chicago, IL 60603
*Office:* 312.499.4031
*amenos () artic edu* <amenos () artic edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community