- ITS staff must comply with these policies.
This compliance is key to ITS alignment of selected current and future ITS services to meet the necessary administrative, physical and technical safeguards required by HIPAA, the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance generally focuses on risk analysis; the use of reasonable security controls; well-documented policies, procedures, and practices; and staff education and awareness.
- U-M units may use them as templates.
U-M units are welcome to use and adapt these policies and standards as templates for unit-specific training and awareness related to HIPAA compliance.
Code of Conduct
The code of conduct spells out specific staff responsibilities and behaviors when working in an environment where Protected Health Information (PHI) is maintained. All ITS staff members are required to read and sign an acknowledgement that they will abide by the code as part of ITS HIPAA compliance procedures. A signed copy of the code of conduct is maintained in their personnel file by ITS HR.
- For ITS staff: ITS Code of Conduct and Confidentiality Agreement (PDF)
- For other U-M staff: Code of Conduct and Confidentiality Agreement (PDF)
Data Management Policies
Data management policies generally describe the administrative and behavioral requirements necessary for HIPAA compliance.
- Acceptable Use of ITS Core Image Workstations (DM-01) (Google Doc). Users of ITS core image workstations (MiWorkspace) are required to follow specific acceptable use practices to minimize the possibility of loss or unauthorized disclosure of PHI.
- Business Associate Agreements (DM-02) (Google Doc). This policy describes the HIPAA compliance requirements for external providers of products and services that maintain or have access to PHI stored in ITS systems.
- Email Communications Containing Protected Health Information (DM-03) (Google Doc). ITS staff cannot share institutional PHI via email unless there is a legitimate, approved business need and that email service is permitted by the Sensitive Regulated Data: Permitted and Restricted Uses Standard (DS-06).
- Workforce Security and Access Management to ITS Systems Maintaining Protected Health Information (DM-04) (Google Doc). This policy describes the internal ITS processes to ensure that appropriate access to PHI is authorized and that ITS staff with legitimate access are properly supervised. It also sets standards for maintaining accounts and access level for those staff authorized to work on systems that maintain PHI.
- Data Disclosure (DM-05) (Google Doc). This policy describes the practices and safeguards that minimize the risk of any unauthorized disclosure of PHI stored in ITS systems, as well as when such disclosure is authorized.
Data Security Policies
Data security policies generally describe the technical requirements necessary for HIPAA compliance.
- ITS HIPAA Security Program (DS-01) (Google Doc). This is the umbrella policy that describes how ITS meets HIPAA's compliance requirements.
- Physical Security of Protected Health Information and Other Sensitive Data (DS-02) (Google Doc). ITS is responsible for taking reasonable measures that limit physical access to its information systems containing PHI, and must accurately track and control electronic media that store PHI.
- Management of ITS IT Security Incidents Involving Protected Health Information (DS-03) (Google Doc). ITS has a well-established process for reporting and managing IT security incidents. This policy is specific to any breaches or inadvertent disclosures that involve PHI.
- Restrictions on Personally Owned Devices That Access or Maintain Sensitive University Data (DS-08) (Google Doc). This standard describes additional employee restrictions regarding accessing certain types of sensitive data on personal devices.
Technical Requirements & Standards Supplement
- ITS Information Security Supplement and Requirements (TS-02) (PDF). This document provides specific information security requirements for ITS systems that maintain PHI. Definitions of key terms used throughout the set of ITS HIPAA policies are provided in this document.
For ITS Staff Only
These resources are for ITS staff only. They are stored on the ITS intranet (Backstage), which is accessible only by ITS staff. Login with uniqname and UMICH password is required.
- HIPAA Compliance Internal Assessment Process for ITS Services. This document helps ITS service owners determine whether and how to bring their service into HIPAA compliance.
- ITS and HIPAA Compliance. Questions and answers for ITS staff about HIPAA compliance.