The University of Virginia (UVA) Health Information and Technology (HIT) Security office is responsible for supporting the Health System's objectives by protecting the confidentiality, integrity and availability of data.  The effectiveness of security administration relies on the design, review, and maintenance of reasonable and appropriate security controls that accommodate the complex interactions and business processes across and within UVA agencies and departments. 

A particularly important aspect of healthcare information security is the regulatory framework established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which identified administrative, technical and physical safeguards to protect electronic information and information systems and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 which promotes the adoption and meaningful use of health information technology.  Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information and includes provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

The strategy of HIT Security includes a multi-layered model for the protection of all highly sensitive data. The strategy incorporates life cycle management concepts to ensure that ongoing processes and procedures protect sensitive data while detecting and reacting to information security risks resulting from new and evolving threats and vulnerabilities.

Key areas of focus include:

  1. Information Security Policy (Risk Assessment and Treatment)
  2. Organizing Information Security (Internal and External Organizations)
  3. Asset Management
  4. Human Resources Security
  5. Physical and Environmental Security
  6. Communications and Operations Management
  7. Access Control
  8. Information Systems Acquisition, Development, and Maintenance
  9. Information Security Incident Management
  10. Information Security Aspects of Business Continuity Management
  11. Compliance (Legal requirements, Security Policies, Standards, and Technical Compliance; Information Systems Audit Considerations)