Educause Security Discussion mailing list archives
Re: HIPAA Network Guidelines
From: Adam Menos <amenos () ARTIC EDU>
Date: Tue, 11 Feb 2020 12:17:44 -0600
HIPAA is rather high level and not as deep in the weeds as for example PCI. It emphasizes what PHI is and allows organizations to take measures as they see fit to protect it (it's more flexible). It does not mandate actions like PCI does such as segmenting off networks that deal with cardholder data. Also, another unique aspect of HIPAA is breach notification. You have to make sure it gets reported within 60 days if the breach impacted 500 and over individuals. Otherwise annually. For devices that store PHI (like laptops) a good HIPAA recommendation is to ensure the laptop is encrypted in case it gets stolen (for example). And lastly the concept of BAA (Business Associates Agreement) a lot of health organizations have been fined for not having them in place with 3rd parties that have access to PHI. Short answer is No, no need to segment off networks that transmit PHI. Just ensure encryption is in place where applicable. That has been my experience with HIPAA.. Check to see if your higher ed even applies to HIPAA. It's been noted that many times they are not bound by it. https://www.thompsoncoburn.com/insights/blogs/regucation/post/2016-02-03/is-your-institution-of-higher-education-covered-by-hipaa- "*However, the Office of Civil Rights, the governmental agency that enforces the HIPAA Privacy Rule, has clarified that the HIPAA Privacy Rule generally does not apply to institutions of higher education.* As a matter of law, the Rule applies only to “covered entities,” which includes health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions." On Tue, Feb 11, 2020 at 11:44 AM Menne, Michael S <michael.menne () mnsu edu> wrote:
Good morning all, We are a medium sized University with three small HIPAA clinics. We have a dental clinic that serves the general public, Student Health Services that serves students and graduated students for 6 months after graduation, as well as a Speech Rehabilitation clinic that serves the general public by referral. Our network team is asking for some guidelines for protecting HIPAA data from a network standpoint. I’m not a HIPAA expert and have done the best I can to provide guidance on network segmentation. Does anyone have any network guidelines on protecting HIPAA information? Thanks, *Michael Menne, CISSP* *Chief Information Security Officer* *IT Solutions Information Security* *Minnesota State University, Mankato* *Phone: (507) 389-5705* *mnsu.edu/cyberaware <https://mnsu.edu/cyberaware>* [image: signature_2008603909] *Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.* ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- Adam Menos Director of Information Security 116 S Michigan Ave | Chicago, IL 60603 *Office:* 312.499.4031 *amenos () artic edu* <amenos () artic edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- HIPAA Network Guidelines Menne, Michael S (Feb 11)
- Re: HIPAA Network Guidelines Adam Menos (Feb 11)
- Re: HIPAA Network Guidelines Menne, Michael S (Feb 11)
- Re: HIPAA Network Guidelines Adam Menos (Feb 11)