HIPAA Data Requirements for Shared File Services
How the Health Insurance Portability and Accountability Act (HIPAA) data requirements work with Shared File Services (SFS).
This article applies to: Shared File Services
Shared File Services is approved to store information classified as being protected under the Health Information Portability and Accountability Act (HIPAA) within the following limitations:
-
Only organizations and groups identified as Cornell University's HIPAA covered components may request HIPAA compliant CIFS shares from Shared File Services.
See the list of Cornell’s HIPAA covered components in the Cornell University Hybrid Entity Designation document.
- HIPAA compliance is a shared responsibility between CIT’s Shared File Service and you, the Technical Support Providers (TSP), as well as your end-users who process HIPAA data.
- CIT is responsible for the HIPAA requirements as they pertain to the file-storage hardware, its operating system, and logical and physical access to the hardware/OS as well as configuration of the shares.
- TSP's are responsible for the HIPAA data/files themselves, their file system ACL’s, end-users and the computer systems they utilize to access the HIPAA data.
- End-users, TSP’s, and CIT are all responsible for ensuring compliance with the policy, including being HIPAA trained/certified.
- HIPAA compliant shares are identical to the Level-1/Confidential shares listed under Confidential or Sensitive Data on a Share, with the addition of encryption and additional required administrative responsibilities to be met by you (the TSP, the Administrative Contact and/or Alternate Contact for the share). These requirements include, but are not limited to, the following:
SFS HIPAA Guidelines to be met by the TSP
Standards | Sections |
Implementation Specifications |
Required or Addressable |
SFS Alignment |
---|---|---|---|---|
Workstation Use | 164.310(b) | Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. | Required |
TSP's must ensure compliance per HIPAA and Cornell Policy 5.10. See SFS: Confidential or Sensitive Data on a Share, under “Requirements” and associated links. |
Workstation Security |
164.310(c) |
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. | Required |
TSP's must ensure compliance per HIPAA and Cornell Policy 5.10. See SFS: Confidential or Sensitive Data on a Share, under “Requirements” and associated links. |
Standards | Sections |
Implementation Specifications |
Required or Addressable |
SFS Alignment |
---|---|---|---|---|
Access Control | 164.312(a)(1) |
Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
Addressable |
TSP’s to ensure both lockscreen and Automatic Logoff are operational. |
Access Control | 164.312(a)(1) |
Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information. |
Addressable |
TSP’s to ensure endpoint hard drives are encrypted. Data-in-flight between SFS and the workstation is encrypted. Data-at-rest on SFS is not encrypted. DR-backups on SFS are encrypted. |
Audit Controls | 164.312(b) | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | Required |
TSP's see SFS: Configure CIFS Auditing. TSP’s to perform CIFS Audits as required. |
Person or Entity Authentication |
164.312(d) |
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. | Required |
Standards | Sections |
Implementation Specifications |
Required or Addressable |
SFS Alignment |
---|---|---|---|---|
Security Management Process | 164.308(a)(1) |
Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. |
Required |
Cornell Employment policies and Annual Confidentiality Attestations should allow for sanctions or terminations if warranted. Since this is not a universal standard: TSP’s are to report concerns and work with their management to ensure employees are held accountable for their actions, if appropriate. CIT has a confidentiality attestation, as does Cornell Health and Benefits Services. University Policy 6.11.3, Employee Discipline |
Workforce Security |
164.308(A)(3) |
Termination Procedures: Implement procedures for terminating access to electronic protected health information when the employment of, or another arrangement with, a workforce member ends or as required by determinations made as specified in Workforce Clearance (above). |
Addressable |
TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure authorization of workforce members to access HIPAA data. This logged procedure also needs to incorporate clearance, training, and termination of access procedures. Quarterly audits are to be performed by the TSP and/or their management to ensure access Termination compliance. |
Workforce Security | 164.308(A)(3) |
Workforce Clearance: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. |
Addressable |
TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure authorization of workforce members to access HIPAA data. This logged procedure also needs to incorporate clearance, training, and termination of access procedures. Quarterly audits are to be performed by the TSP and/or their management to ensure Workforce Clearance compliance. |
Information Access Management |
164.308(a)(4) |
Access Establishment and Modification: What policies and procedures are in place to address access controls and privileges? |
Addressable | TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure workforce members receive approval for accessing HIPAA data from the appropriate authority, with the appropriate level of access. This logged procedure also needs to incorporate Modifications and Removals of access. |
Information Access Management | 164.308(a)(4) |
Access Authorization: Who has the authority to determine whether someone can access or store ePHI? AND, to what level of access are they granted? |
Addressable | TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure workforce members receive approval for accessing HIPAA data from the appropriate authority, with the appropriate level of access. This logged procedure also needs to incorporate Modifications and Removals of access. |
Information Access Management | 164.308(a)(4) |
Access Establishment and Modification: What policies and procedures are in place to address access controls and privileges? |
Addressable | TSP’s are to work with their management to ensure a logged procedure is in place which will: Ensure workforce members receive approval for accessing HIPAA data from the appropriate authority, with the appropriate level of access. This logged procedure also needs to incorporate Modifications and Removals of access. |
Security Awareness & Training |
164.308(a)(5) |
Log-In Monitoring: Procedures for monitoring log-in attempts and reporting discrepancies. |
Addressable |
TSP’s are to ensure that login monitoring is addressed, and the results available for review on a quarterly basis. |
Security Incident Procedures: Evaluation |
164.308(a)(8) |
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. | Required |
TSP’s are to ensure computer operating system updates are applied in a timely fashion, and that Anti-virus and Identity Finder are utilized. TSP’s are to report to their management technical or nontechnical concerns regarding HIPAA data, or users who access such data, or the systems they utilize. |
- While Cornell University is required to be fully compliant with the HIPAA Administrative Simplification Regulation Text, CIT (SFS administration) and you are primarily concerned with SUBPART C of PART 164, “Security Standards for the Protection of Electronic Protected Health Information”. Consult the HIPAA Administrative Simplification Regulation Text to determine the complete list of requirements for which you are responsible.
- A dual-factored VPN connection is required to access HIPAA shares.
- SMB3 support is required (Windows 7 and older are not compatible).
- For the Administrative Contact and Alternate Contact roles, two people are required. Teams or groups are not allowed.
- The two TSP’s are required to use doc accounts for Administrative purposes (ACL management, CIFS Auditing configuration, etc). A CornellAD group configured expressly for supporting HIPAA data administration (named appropriately) should contain these two doc accounts. This CornellAD group can only be used for this purpose, the group cannot be reused for other purposes.
- All personnel are required to be HIPAA trained/certified.
Comments?
To share feedback about this page or request support, log in with your NetID