HIPAA System Administrator
What is a HIPAA system administrator?
A HIPAA system administrator is one that ensures that a device/system that stores Protected Health Information meets HIPAA Security compliance.
Who can be a HIPAA system administrator?
One requirement: individual is a full time faculty or staff at ECU. If the system is research related it is typically someone on the study team that will serve in this role; however, it can be a staff member within the department.
What is a HIPAA system administrator’s responsibility?
- System administrators will complete the HIPAA Security Rule training on an annual basis.
- System administrators will complete Risk Assessments on each system they oversee on an annual basis.
- System administrators will review Log Reviews from their system(s) on a monthly basis.
- With regard to data storage and encryption (for University own systems/devices), it is recommended that the system administrator adhere to the following workstation security measures:
- It is highly recommended that the data is not stored on the local workstation but instead stored in a departmental Piratedrive folder with restricted access.
- The system administrator must ensure that the workstation is appropriately secured. If data is stored on the local workstation instead of a departmental Piratedrive folder for any time period, it should be encrypted.
- Accounts which are no longer needed must be disabled in a timely fashion using an automated or documented procedure.
- An Antivirus software must be implemented- including a procedure to ensure that the virus detection software is maintained and up to date.
- Systems must be configured to automatically update operating system software, client software (web browsers, mail clients, office suites, etc.), and malware protection software (antivirus, anti-spyware, etc.).
- If available, auditing features on the system/device will be enabled.
- With regard to data storage on a departmental Piratedrive, it is recommended that the system administrator adhere to the following security measures:
- Plan the folder and data organization (i.e. will employees have their own folders in which they will store PHI?).
- Maintain documentation of folder administration.
- Grant and remove users and user access on as-needed basis.
- Choose level of access for users (only administrators should have full control access).
- Review and modify user access on as-needed basis.
- Review Piratedrive folder security four times a year. Use the Security Review Log Template that is provided by ITCS.
- Obtain ITPC approval to store Social Security Numbers.
- Obtain ITCS approval of HIPAA data storage measures.
- Protect sensitive data.
- Notify ITCS and the Office of Institutional Integrity if your role changes and you are no longer a folder administrator.