Skip to main content

HIPAA Data Requirements for Shared File Services

How the Health Insurance Portability and Accountability Act (HIPAA) data requirements work with Shared File Services (SFS).

This article applies to: Shared File Services


Shared File Services is approved to store information classified as being protected under the Health Information Portability and Accountability Act (HIPAA) within the following limitations:

  1. Only organizations and groups identified as Cornell University's HIPAA covered components may request HIPAA compliant CIFS shares from Shared File Services.   

    See the list of Cornell’s HIPAA covered components in the Cornell University Hybrid Entity Designation document.
     

  2. HIPAA compliance is a shared responsibility between CIT’s Shared File Service and you, the Technical Support Providers (TSP), as well as your end-users who process HIPAA data.
  • CIT is responsible for the HIPAA requirements as they pertain to the file-storage hardware, its operating system, and logical and physical access to the hardware/OS as well as configuration of the shares.
  • TSP's are responsible for the HIPAA data/files themselves, their file system ACL’s, end-users and the computer systems they utilize to access the HIPAA data.
  • End-users, TSP’s, and CIT are all responsible for ensuring compliance with the policy, including being HIPAA trained/certified.
  1. HIPAA compliant shares are identical to the Level-1/Confidential shares listed under Confidential or Sensitive Data on a Share, with the addition of encryption and additional required administrative responsibilities to be met by you (the TSP, the Administrative Contact and/or Alternate Contact for the share).  These requirements include, but are not limited to, the following:

SFS HIPAA Guidelines to be met by the TSP

Physical Safeguards for HIPAA Data
Standards Sections

Implementation Specifications

Required or 
Addressable

SFS Alignment

Workstation Use 164.310(b) Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. Required

TSP's must ensure compliance per HIPAA and Cornell Policy 5.10.

See SFS: Confidential or Sensitive Data on a Share, under "Requirements" and associated links.
Workstation Security

164.310(c)

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. Required

TSP's must ensure compliance per HIPAA and Cornell Policy 5.10.

See SFS: Confidential or Sensitive Data on a Share, under "Requirements" and associated links.

Technical Safeguards for HIPAA Data
Standards Sections

Implementation Specifications

Required or 
Addressable

SFS Alignment

Access Control 164.312(a)(1)

Automatic Logoff:
 

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Addressable

TSP’s to ensure both lockscreen and Automatic Logoff are operational.

Access Control 164.312(a)(1)

Encryption and Decryption:
 

Implement a mechanism to encrypt and decrypt electronic protected health information.
Addressable

TSP’s to ensure endpoint hard drives are encrypted.

Data-in-flight between SFS and the workstation is encrypted.

Data-at-rest on SFS is not encrypted.

DR-backups on SFS are encrypted.

Audit Controls 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Required

TSP's see SFS: Configure CIFS Auditing.

TSP’s to perform CIFS Audits as required.

Person or Entity Authentication

164.312(d)

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Required

University Policy 5.8

University Policy 5.10

Administrative Safeguards for HIPAA Data
Standards Sections

Implementation Specifications

Required or 
Addressable

SFS Alignment

Security Management Process 164.308(a)(1)

Sanction Policy:
 

Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
Required

Cornell Employment policies and Annual Confidentiality Attestations should allow for sanctions or terminations if warranted.  Since this is not a universal standard:

TSP’s are to report concerns and work with their management to ensure employees are held accountable for their actions, if appropriate.

CIT has a confidentiality attestation, as does Cornell Health and Benefits Services.

University Policy 6.11.3, Employee Discipline

Workforce Security

164.308(A)(3)

Termination Procedures:
 

Implement procedures for terminating access to electronic protected health information when the employment of, or another arrangement with, a workforce member ends or as required by determinations made as specified in Workforce Clearance (above).

Addressable

TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure authorization of workforce members to access HIPAA data.  This logged procedure also needs to incorporate clearance, training, and termination of access procedures.

Quarterly audits are to be performed by the TSP and/or their management to ensure access Termination compliance.

Workforce Security 164.308(A)(3)

Workforce Clearance:

Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Addressable

TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure authorization of workforce members to access HIPAA data.  This logged procedure also needs to incorporate clearance, training, and termination of access procedures.

Quarterly audits are to be performed by the TSP and/or their management to ensure Workforce Clearance compliance.
Information Access Management

164.308(a)(4)

Access Establishment and Modification:

What policies and procedures are in place to address access controls and privileges?
Addressable TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure workforce members receive approval for accessing HIPAA data from the appropriate authority, with the appropriate level of access. This logged procedure also needs to incorporate Modifications and Removals of access.
Information Access Management 164.308(a)(4)

Access Authorization:

Who has the authority to determine whether someone can access or store ePHI?

AND, to what level of access are they granted?
Addressable TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure workforce members receive approval for accessing HIPAA data from the appropriate authority, with the appropriate level of access. This logged procedure also needs to incorporate Modifications and Removals of access.
Information Access Management 164.308(a)(4)

Access Establishment and Modification:

What policies and procedures are in place to address access controls and privileges?
Addressable TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure workforce members receive approval for accessing HIPAA data from the appropriate authority, with the appropriate level of access. This logged procedure also needs to incorporate Modifications and Removals of access.
Security Awareness & Training

164.308(a)(5)

Log-In Monitoring:

Procedures for monitoring log-in attempts and reporting discrepancies.
Addressable

TSP’s are to ensure that login monitoring is addressed, and the results available for review on a quarterly basis.

Security Incident Procedures:

Evaluation

164.308(a)(8)

Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. Required

TSP’s are to ensure computer operating system updates are applied in a timely fashion, and that Anti-virus and Identity Finder are utilized.

TSP’s are to report to their management technical or nontechnical concerns regarding HIPAA data, or users who access such data, or the systems they utilize.

  • While Cornell University is required to be fully compliant with the HIPAA Administrative Simplification Regulation Text, CIT (SFS administration) and you are primarily concerned with SUBPART C of PART 164, “Security Standards for the Protection of Electronic Protected Health Information”.

    Consult the HIPAA Administrative Simplification Regulation Text to determine the complete list of requirements for which you are responsible.
     
  • A dual-factored VPN connection is required to access HIPAA shares.
  • SMB3 support is required (Windows 7 and older are not compatible).
  • For the Administrative Contact and Alternate Contact roles, two people are required. Teams or groups are not allowed.
  • The two TSP’s are required to use doc accounts for Administrative purposes (ACL management, CIFS Auditing configuration, etc).  A CornellAD group configured expressly for supporting HIPAA data administration (named appropriately) should contain these two doc accounts.  This CornellAD group can only be used for this purpose, the group cannot be reused for other purposes.
  • All personnel are required to be HIPAA trained/certified.

About this Article

Last updated: 

Thursday, July 9, 2020 - 4:52pm

Was this page helpful?

Your feedback helps improve the site.

Comments?