The Medical Center must regularly conduct a technical and non-technical evaluation of its security controls and processes to document its compliance with its security policies and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
To ensure compliance with HIPAA.
This standard applies to the Medical Center.
- Either an appropriate internal group or a third party may carry out the evaluation. For all systems residing on the Health Systems Clinical Network, a risk assessment must be completed prior to implementation or a security exception placed and approved by the Health Information Security Officer. The processes listed above are formal and defined, and must be documented.
- For all critical systems containing EPHI, the Medical Center must conduct a thorough technical and non-technical evaluation of its security controls and processes on a periodic basis or when environmental or operational changes significantly impact the confidentiality, integrity or availability of its Electronic Protected Health Information (EPHI).
- HIT Security will perform these evaluations with the services of a third party. The documented results of each annual review will be provided to the Chief Information & Technology Officer.
Additional Policies and Resources may be found in the Summary of HIPAA Security Rule, University of Virginia Institutional Data Protection Standards and Medical Center Risk Assessment