HIPAA System Administrator

What is a HIPAA system administrator?

A HIPAA system administrator is one that ensures that a device/system that stores Protected Health Information meets HIPAA Security compliance.

Who can be a HIPAA system administrator?

One requirement:  individual is a full time faculty or staff at ECU.  If the system is research related it is typically someone on the study team that will serve in this role; however, it can be a staff member within the department.

What is a HIPAA system administrator’s responsibility?

  1. System administrators will complete the HIPAA Security Rule training on an annual basis.
  2. System administrators will complete Risk Assessments on each system they oversee on an annual basis.
  3. System administrators will review Log Reviews from their system(s) on a monthly basis.
  4. With regard to data storage and encryption (for University own systems/devices), it is recommended that the system administrator adhere to the following workstation security measures:
    1. It is highly recommended that the data is not stored on the local workstation but instead stored in a departmental Piratedrive folder with restricted access.
    2. The system administrator must ensure that the workstation is appropriately secured.  If data is stored on the local workstation instead of a departmental Piratedrive folder for any time period, it should be encrypted.
    3. Accounts which are no longer needed must be disabled in a timely fashion using an automated or documented procedure.
    4. An Antivirus software must be implemented- including a procedure to ensure that the virus detection software is maintained and up to date.
    5. Systems must be configured to automatically update operating system software, client software (web browsers, mail clients, office suites, etc.), and malware protection software (antivirus, anti-spyware, etc.).
    6. If available, auditing features on the system/device will be enabled.
  5. With regard to data storage on a departmental Piratedrive, it is recommended that the system administrator adhere to the following security measures:
    1. Plan the folder and data organization (i.e. will employees have their own folders in which they will store PHI?).
    2. Maintain documentation of folder administration.
    3. Grant and remove users and user access on as-needed basis.
    4. Choose level of access for users (only administrators should have full control access).
    5. Review and modify user access on as-needed basis.
    6. Review Piratedrive folder security four times a year. Use the Security Review Log Template that is provided by ITCS.
    7. Obtain ITPC approval to store Social Security Numbers.
    8. Obtain ITCS approval of HIPAA data storage measures.
    9. Protect sensitive data.
    10. Notify ITCS and the Office of Institutional Integrity if your role changes and you are no longer a folder administrator.