CUIMC Information Security Procedures


Background

Columbia University (“Columbia” or the “University”) is a HIPAA Covered Entity. For purposes of HIPAA compliance, it has organized as a hybrid entity and designated a single health care component pursuant to the Health Care Component Designation adopted and approved by the Trustees of the University on June 7, 2003, as may be amended from time to time. As a result, only the health care component is subject to HIPAA requirements. The health care component is comprised of the colleges, schools, and departments that perform covered health care provider functions and other departments to the extent that they perform services in support of those functions. For purposes of convenience the health care component is known as Columbia University Irving Medical Center (“CUIMC”) and hereafter, CUIMC shall be used to refer to the health care component.

Download the full CUIMC Information Security Procedures as a PDF file.

Goal

The purpose of the CUIMC Information Security Procedures (the “Procedures”) is to document the detailed procedures for CUIMC’s implementation of the terms of the Columbia University Information Security Policies (the “Information Security Policies”) with respect to EPHI, in particular, the following Information Security Policies:

The complete list of Information Security Policies can be found in the University’s Administrative Policy Library under Computing and Technology Policies. Terms used, but not defined, in these Procedures are defined in Annex A hereto or in the Information Security Charter (the “Charter”).

These Procedures apply to the entire CUIMC Workforce. For purposes of these Procedures, the term “Workforce” includes employees, volunteers, trainees, students and other persons whose conduct, in the performance of work or study in CUIMC, is under the direct control of CUIMC, whether or not they are paid by CUIMC.

To the extent questions arise from these Procedures relating to detailed technological standards, please refer to the University’s Computing and Technology Policies or contact the Office of the Chief Information Officer at CUIMC.

Responsibility

Responsible Official: Chief Information Officer, Columbia University Irving Medical Center

Responsible Office: Columbia University Irving Medical Center Information Technology

Effective Date: 11/15/2014

ANNEX A: DEFINITIONS

Columbia or the University: Columbia University

Columbia University Irving Medical Center: the health care component of the University that is comprised of the colleges, schools and departments that perform covered health care provider functions and other departments to the extent that they perform services in support of those functions, as specified in the Health Care Component Designation adopted and approved by the Trustees of the University on June 7, 2003, as may be amended from time to time.

Confidential Data: any information that is contractually protected as confidential information and any other information that is considered by the University appropriate for confidential treatment. See the Columbia University Data Classification Policy for examples of Confidential Data.

Covered Entity: as defined in the HIPAA Privacy Rule (45 CFR 160.103).

CUIMC: Columbia University Irving Medical Center

CUIMC Information Security Office: Columbia University Irving Medical Center Information Security Office.

CUIMC IT: Columbia University Irving Medical Center Information Technology.

Data: all items of information that are created, used, stored or transmitted by the CUIMC community for the purpose of carrying out the institutional mission of teaching, research and clinical care and all data used in the execution of CUIMC’s required business functions including but not limited to EPHI.

Data Owners: CUIMC officials, including Directors, Officers of Instruction and Officers of Research, who are responsible for determining Data classifications, working with the CUIMC Information Security Office in performing risk assessments and developing the appropriate procedures to implement the Information Security Policies in their respective areas of responsibility.

Endpoint: any desktop or laptop computer (i.e., Windows, Mac, Linux/Unix), Mobile Device or other portable device used to connect to the University wireless or wired Network, access Columbia email from any local or remote location or access any institutional (University, NewYork-Presbyterian Hospital, departmental or individual) System either owned by the University or by an individual and used for CUIMC purposes.

EPHI: Electronic Protected Health Information.

FERPA: the Family Educational Rights and Privacy Act

HIPAA: the Health Insurance Portability and Accountability Act and its implementing regulations as amended and supplemented by the HITECH Act and its implementing regulations, as each is amended from time to time.

HITECH: the Health Information Technology for Economic and Clinical Health Act

Information Resource: (a) all Data regardless of the storage medium (e.g., paper, fiche, electronic tape, cartridge, disk, CD, DVD, external drive, copier hard drive, etc.) and regardless of form (e.g., text, graphic, video, audio, etc.); (b) the computing hardware and software Systems that process, transmit and store Data; and (c) the Networks that transport Data.

Information Security Office: the CUIMC Information Security Office or the Columbia University Information Security Office.

IT Custodians: CUIMC personnel who are responsible for providing a secure infrastructure in support of Data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges as authorized by Data Owners or System Owners and implementing and administering controls over Data in their respective areas of responsibility.

IT Group: A group of IT personnel who, as full-time employees of the Medical Center or a member of the CUIMC OHCA, are responsible for providing a secure infrastructure in support of data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges as authorized by Data Owners or System Owners and implementing and administering controls over data in their respective areas of responsibility. For more information, refer to the Certified IT Group Program Specifications (PDF).

Mobile Device: a smart/cell phone (i.e., iPhone, Blackberry, Android, Windows phone), tablet (i.e., iPad, Nexus, Galaxy Tab and other Android based tablet) or USB/removable drive.

Network: electronic Information Resources that are implemented to permit the transport of Data between interconnected endpoints. Network components may include routers, switches, hubs, cabling, telecommunications, VPNs and wireless access points.

PCI: Payment card industry.

PCI-DSS: the PCI Data Security Standard produced by the PCI–SSC, which mandates compliance requirements for enhancing the security of payment card data.

PCI-SSC: the PCI Security Standards Council, which is an open global forum of payment brands, such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc, that are responsible for developing the PCI-DSS.

Protected Health Information: any information created, received, maintained, processed or transmitted by CUIMC that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for health care and (a) identifies the individual or (b) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Removable Media: CDs, DVDs, USB flash drives, external hard drives, Zip disks, diskettes, tapes, smart cards, medical instrumentation devices and copiers.

Security Managers: Managers in the CUIMC Information Security Office. Security Managers are responsible for the day to day management of CUIMC’s Information Security Program.

Sensitive Data: any information protected by federal, state and local laws and regulations and industry standards, such as HIPAA, HITECH, FERPA, the New York State Information Security Breach and Notification Act, similar state laws and PCI-DSS. See the Columbia University Data Classification Policy for examples of Sensitive Data.

Server: a Server is a computer that provides a service to other computers, such as processing communications, file storage, or accessing a printing facility. There are many types of Servers including web, database, application, authentication, DNS, mail, proxy, and NTP Servers.

System: a System is a multi-user application or service used for University purposes which resides on one or more computing device(s) and transmits, stores, or processes University data. Any business process and/or application running on a Server is a System. Individual Endpoints are not considered Systems, unless they are performing Server functions.

System Owners: CUIMC officials, including Directors, Officers of Instruction and Officers of Research, who are responsible for determining computing needs, and applicable System hardware and software, in his/her respective areas of responsibility and ensuring the functionality of each such System.

User: a person who uses Information Resources. Users are responsible for ensuring that such Resources are used properly in compliance with the Columbia University Acceptable Usage of Information Resources Policy, information is not made available to unauthorized persons and appropriate security controls are in place.

VPN: Virtual Private Network.