Thomas Jefferson University

Main menu:

HIPAA Information

There is an ongoing and active effort across all covered areas of TJU and JUP to ensure and document compliance with the HIPAA Security Rule.  The Information Technology Security Committee the main body charged with maintaining and documenting TJU and JUP’s compliance with the HIPAA Security Rule.  The committee conducts annual software inventories of all HIPAA covered areas within TJU and JUP, manages an annual HIPAA Security Risk Assessment and develops and maintains TJU and JUP polices related to HIPAA Security Rule requirements.  Please visit the University Policies section of Pulse to view the HIPAA Security polices. In order to review these policies, log in to Pulse and click on the University Policies link from the left navigation, titled 'Links'

Below is additional information on the HIPAA Security Rule.

Security Standard

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information.  The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.

The National Institute of Standards and Technology (NIST) publishes its "Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP 800-66 REV 1 Draft) (PDF)."

In an ongoing effort to provide HIPAA covered entities with resources related to HIPAA security, CMS is pleased to announce that NIST has published the draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  This special publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards sets out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule.  Please note that this publication does not represent guidance published by or on behalf of CMS nor does it supplement, replace, or supersede the HIPAA Security Rule which is enforced by CMS.

HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information

CMS has prepared guidance to provide HIPAA covered entities with general information on the risks and possible mitigation strategies for remote use of and access to Electronic Protected Health Information (EPHI).

CMS has delegated authority to enforce the non-privacy provisions of the HIPAA Regulations, to include HIPAA Security.  This guidance document sets forth CMS' minimal compliance expectations for covered entities seeking to safeguard EPHI that is accessed, stored or transported offsite.  Please note however that this document does not seek to provide a comprehensive list of risks and mitigation strategies but rather a general list of suggestions for organizations that require remote use of sensitive health information.

To view this document, click here  also visit University Policies in Pulse and look for the Single Device Remote Access Policy

HIPAA Security Educational Paper Series

There are seven papers in the HIPAA Security Educational Paper Series.  The papers currently available include:  "Security 101 for Covered Entities", "Security Standards Administrative Safeguards", "Security Standards Physical Safeguards", "Security Standards Technical Safeguards", "Security Standards Organizational, Policies and Procedures and Documentation Requirements" and "Basic of Risk Analysis and Risk Management".  

On December 12, 2007 CMS announced the publication of a new HIPAA security educational paper entitled "Security Standards Implementation for the Small Provider". This document is the seventh and final in the series of HIPAA Security Educational Papers and is intended to assist small health care providers with coming into or maintaining compliance with the Security Rule.  

To view these papers, click here.