Using ITS HIPAA-Aligned Services

HIPAA compliance is a shared responsibility between ITS, as a provider of HIPAA-aligned services, and units, as users of those services.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to allow coverage for workers and their families when they changed or lost their jobs, and required the establishment of national standards for electronic healthcare transactions. HIPAA includes privacy and security rules that govern how Protected Health Information (PHI) is collected, disclosed, and secured. The HIPAA privacy and security rules and requirements were developed to prevent accidental data spills, ensure data availability and integrity, and limit access to PHI to only authorized people.

HIPAA is...

  • A regulation that applies to covered entities and business associates of all shapes and sizes
  • A risk-based set of safeguards that ensure data confidentiality, availability, and integrity, and that prevent unauthorized access to PHI

HIPAA is not...

  • A set of specific, prescriptive security settings and controls
  • A regulation that applies to all health or medical information

U-M and HIPAA Compliance

The Michigan Medicine Corporate Compliance Office oversees U-M's compliance with HIPAA. ITS works closely with Michigan Medicine to ensure ITS employs appropriate risk-based administrative, physical, and technical safeguards and measures that HIPAA requires of an IT service provider that maintains or processes PHI.

The effort to meet HIPAA's requirements is a cooperative effort across the university. Using ITS HIPAA-aligned services supports a unit's HIPAA compliance program; however, units are still obligated to identify and meet their own risk-based HIPAA requirements. In order to meet the requirements found in HIPAA's safeguards:

  • See the ITS Services that Meet HIPAA Requirements section below.
  • See the table below for a list of the responsibilities that ITS and campus units share.

ITS and HIPAA Safeguards

ITS has implemented a variety of safeguards in three categories that allow select ITS services to be used for information regulated by HIPAA:

  • Administrative Safeguards. These focus on policies, procedures, and documentation to train workforce members and appropriately permit or restrict their access to protected health information regulated by HIPAA.

    Examples include:

    • Security awareness training program for all staff
    • Procedures to regularly review records of information system activity (e.g., audit logs)
  • Physical Safeguards. These focus on limiting access to facilities and information systems in which electronic information systems are housed, as well as any physical media that contains or is used to access PHI.

    Examples include:

    • Retaining facility maintenance records
    • Establishing policies for disposal of electronic PHI and the media on which it is stored
  • Technical Safeguards. These focus on limiting access to PHI to specific persons.

    Examples include:

    • Automatic password lockout
    • Assigning uniqname or number to track user identity
    • Capturing and reviewing log information related to authentication
    • Required use of Duo two-factor authentication

ITS Services that Meet HIPAA Requirements

ITS has put in place appropriate administrative, physical, and technical safeguards to allow university units to maintain or process HIPAA data in select IT services. Information on which services may be used for HIPAA data can be found in the university's Sensitive Data Guide to IT Services.

Shared Responsibility Environment: Using ITS HIPAA Services

ITS is responsible for and seeks to provide services that can meet the security, privacy, and compliance needs of our customers. University units are responsible for their environment once the service has been provisioned, including their applications, data content, virtual machines, access credentials, auditing of accesses to systems, and compliance with regulatory requirements applicable to their particular field or industry.

While ITS offers these services to help enable appropriate privacy and security compliance, units are responsible for ensuring their particular use of ITS services complies with HIPAA and other applicable laws and regulations.

Shared ITS & Unit HIPAA Privacy and Security Responsibilities

Administrative Safeguards

For more information see the U.S. Health and Human Services Guide to Privacy and Security of Electronic Health Information.

HIPAA Requirements ITS Responsibilities
Service Provider of
HIPAA-Aligned Service
Unit Responsibilities
Customer of
HIPAA-Aligned Service
A defined, documented, HIPAA compliance program U-M has a defined HIPAA compliance program that includes documented and implemented administrative, physical, and technical safeguards. Units that process and maintain PHI must have a defined, documented HIPAA compliance program.
HIPAA compliance program reviewed and approved ITS works with Michigan Medicine Corporate Compliance to review the overarching HIPAA compliance program. Units are responsible for initial and ongoing review of their HIPAA program obligations, in compliance with guidance provided by Michigan Medicine Corporate Compliance and in consultation with U-M Office of General Counsel.
Identify and implement specific documented administrative safeguards ITS implements and documents specific administrative safeguards, including policies and procedures, that apply to ITS and its workforce, such as on-boarding and off-boarding practices, development of contingency plans, and security incident response. Units should implement and document appropriate administrative safeguards, including policies and procedures, that apply to the unit and its workforce, such as on-boarding and off-boarding practices, and follow university security incident response policy.
HIPAA Training and Code of Conduct As appropriate, ITS provides regular HIPAA training for its workforce; in addition, ITS staff are expected to have a signed code of conduct and non-disclosure in their personnel file. As appropriate, units should provide HIPAA training to their staff; in addition, units may require their staff to have a signed code of conduct and non-disclosure in their personnel file.
Business Associate Agreements ITS will only share data with external service providers if they have completed a security and compliance questionnaire and signed the U-M Business Associate Agreement. Before sharing data with non-U-M external service providers, units must have the provider complete a security and compliance questionnaire and sign the U-M Business Associate Agreement.

Physical Safeguards

HIPAA Requirements ITS Responsibilities
Service Provider of
HIPAA-Aligned Service
Unit Responsibilities
Customer of
HIPAA-Aligned Service
Identify and implement appropriate physical safeguards

For more information see the U.S. Health and Human Services Guide to Privacy and Security of Electronic Health Information.

ITS implements and documents specific physical safeguards that apply to ITS workstations and facilities. Examples include locked doors, required visitor badges, data and media reuse and disposal practices, and surveillance cameras. Units implement and document specific physical safeguards that apply to unit workstations and facilities, as well as physical media that access or maintain PHI. Examples include locked doors, data and media re-use and disposal practices, surveillance cameras, locking of hardcopies of reports, shredding of documents, etc.

Technical Safeguards

HIPAA Requirements ITS Responsibilities
Service Provider of
HIPAA-Aligned Service
Unit Responsibilities
Customer of
HIPAA-Aligned Service
Identify and implement appropriate technical safeguards

For more information see the U.S. Health and Human Services Guide to Privacy and Security of Electronic Health Information.

ITS implements and documents specific technical safeguards that apply to ITS services, hardware, and infrastructure including Unique User Identification, mandatory two-factor authentication, routine collection and review of authentication logs; automatic logoff or lockout of workstations after 15 minutes, and de-provisioning of system access when staff depart ITS. Units implement and document specific technical safeguards that apply to unit-unique services, hardware, and infrastructure.

Examples include Unique User Identification for users when accessing systems that contain PHI, routine review of audit logs, encrypting data whenever possible, automatic logoff or lockout of workstations after 15 minutes, and de-provisioning of system access when staff depart the unit.