Re: HIPAA Network Guidelines

["Menne, Michael S" <michael.menne () MNSU EDU>]

Thank you Adam.  This is very much my understanding as well.

We are a hybrid entity as our entire University isn’t covered, but we have covered functions. The two triggers for us 
are electronic insurance billing and serving the general public. If we were serving students only, FERPA would apply to 
the privacy aspect, but the HIPAA Security rule would still apply.  My experience is that FERPA is more restrictive per 
the letter of the law, but more open to interpretation as to how and who.  HIPAA isn’t as restrictive, but has more 
guidelines/rules that define how and who PHI can be shared with.

We encrypt all of our workstation regardless of function. I tend to try to apply reasonable security controls across 
the board rather than try to segment any one population of data.

I’m not involved in all of the contractual aspects, but I know our Health Services clinic has BAAs in place and 
documented for all of their partners.


Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
mnsu.edu/cyberaware<https://mnsu.edu/cyberaware>

[signature_2008603909]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Adam Menos
Sent: Tuesday, February 11, 2020 12:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Network Guidelines


HIPAA is rather high level and not as deep in the weeds as for example PCI.
It emphasizes what PHI is and allows organizations to take measures as they see fit to protect it (it's more flexible).
It does not mandate actions like PCI does such as segmenting off networks that deal with cardholder data.
Also, another unique aspect of HIPAA is breach notification. You have to make sure it gets reported within 60 days if 
the breach impacted 500 and over individuals. Otherwise annually.
For devices that store PHI (like laptops) a good HIPAA recommendation is to ensure the laptop is encrypted in case it 
gets stolen (for example).
And lastly the concept of BAA (Business Associates Agreement) a lot of health organizations have been fined for not 
having them in place with 3rd parties that have access to PHI.
Short answer is No, no need to segment off networks that transmit PHI. Just ensure encryption is in place where 
applicable. That has been my experience with HIPAA..

Check to see if your higher ed even applies to HIPAA. It's been noted that many times they are not bound by it.

https://www.thompsoncoburn.com/insights/blogs/regucation/post/2016-02-03/is-your-institution-of-higher-education-covered-by-hipaa-<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.thompsoncoburn.com%2Finsights%2Fblogs%2Fregucation%2Fpost%2F2016-02-03%2Fis-your-institution-of-higher-education-covered-by-hipaa-&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C021b26b67042405f26d608d7af1ec556%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637170419064739012&sdata=RIOWGQhQgtDOhRnSLIdnMx2sPWBj6qhYR4qfu8v1SdI%3D&reserved=0>

"However, the Office of Civil Rights, the governmental agency that enforces the HIPAA Privacy Rule, has clarified that 
the HIPAA Privacy Rule generally does not apply to institutions of higher education. As a matter of law, the Rule 
applies only to “covered entities,” which includes health plans, health care clearinghouses, and health care providers 
that transmit health information in electronic form in connection with covered transactions."

On Tue, Feb 11, 2020 at 11:44 AM Menne, Michael S <michael.menne () mnsu edu<mailto:michael.menne () mnsu edu>> wrote:
Good morning all,
We are a medium sized University with three small HIPAA clinics. We have a dental clinic that serves the general 
public, Student Health Services that serves  students and graduated students for 6 months after graduation, as well as 
a Speech Rehabilitation clinic that serves the general public by referral.

Our network team is asking for some guidelines for protecting HIPAA data from a network standpoint. I’m not a HIPAA 
expert and have done the best I can to provide guidance on network segmentation.  Does anyone have any network 
guidelines on protecting HIPAA information?

Thanks,

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
mnsu.edu/cyberaware<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmnsu.edu%2Fcyberaware&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C021b26b67042405f26d608d7af1ec556%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637170419064739012&sdata=AormDpf%2BNnVYfVcEw4qgnf5ka6HlliC66IY%2Fa4PJjWs%3D&reserved=0>

[signature_2008603909]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C021b26b67042405f26d608d7af1ec556%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637170419064749012&sdata=25TBfYXHNm923jdG7pTb0oZ2hUKWDTSSJ2GZmwmKomQ%3D&reserved=0>


--

Adam Menos
Director of Information Security
116 S Michigan Ave | Chicago, IL 60603
Office: 312.499.4031
amenos () artic edu<mailto:amenos () artic edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C021b26b67042405f26d608d7af1ec556%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637170419064749012&sdata=25TBfYXHNm923jdG7pTb0oZ2hUKWDTSSJ2GZmwmKomQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community