Skip to content

Information Security Standards



HIPAA-protected data is a subset of confidential data that is protected by the federal laws collectively known known as the Health Insuracne Portability and Accountability Act of 1996, 45 CFR Parts 160, 162, and 164.. HIPAA provides for protection of individually identifiable health information, grants rights to individuals about their health information, and requires notification in certain events.


This procedure applies to all systems or services that store or process HIPAA-protected data. This includes, but is not limited to systems in Student Health Services. This also applies to any systems which have access to the EMR (Electronic Medical Records) system.

The purpose of the implementation of this procedure is to provide a set of measures that will mitigate information security risks associated with HIPAA-protected data.


1. Computers and devices that access HIPAA-protected data will be located on an isolated network segment. All traffic into and out of this network will be logged. Access to certain Internet sites may be restricted or forbidden.

2. Computers and devices that access HIPAA-protected data are primarily for HIPAA-protected data. Use of a university computer for personal business may be a violation of other University Procedures.

3. No HIPAA-protected data may be saved outside of the EMR system, including the hard drive in the local system or externally attached storage.

4. All computers must begin with a known, clean, virus-free image before any software that can access the EMR system is loaded. In the event of a data breach, hard drives in the affected machines will be removed and replaced with new hard drive with a clean image.

5. End users will not be granted administrative access to any computer that can access HIPAA-protected data, and may not install, uninstall, or otherwise alter the computer’s software unless the request is made through and approved by Information Technology.

6. System administrators must work through the Information Security Officer and ensure that new software does not result in an increased risk of an information breach.


45 CFR 160

45 CFR 162

45 CFR 164


Created August 20, 2013

Updated March 31, 2014