HIPAA Security Rule Compliance Roadmap

In order to comply with the Security Rule, all UTHealth system owners who are responsible for systems that create, receive, maintain or transmit e-PHI must complete the HIPAA Security Rule Compliance Steps:

Who are System Owners?

The system owner is the person responsible for the business function or project that depends on a system. If the system supports multiple business functions, the system owner is the person responsible for carrying out the overall program that the system supports.

See HOOP 175 (section III, item 2) for examples of system owners and a list of system owner responsibilities. Contact IT Risk & Compliance if you have questions about the system owner role.

HIPAA Security Rule Compliance Steps:

1. Perform an initial assessment of the system’s compliance with the HIPAA Security Rule. Review and update the assessment every other year. The assessment will be performed using the HIPAA Security Rule Compliance Assessment. This assessment is based on ISAAC, UT System’s Information Security Awareness, Assessment, and Compliance tool. The ”How to Use” tab of the assessment outlines the 5 steps required to complete the assessment, and include:
   1. Complete the assessment questions.
   2. Document explanatory comments and evidence.
   3. Identify gaps and corrective actions.
   4. Implement all corrective actions.
      
      
2. Perform a risk analysis of the system every year to assess potential vulnerabilities that could threaten the confidentiality, integrity and availability of e-PHI. The risk analysis will be performed using UT System’s ISAAC tool. Contact IT Risk & Compliance for instructions on how to use the tool.
   
   
3. Update the risk analysis whenever the system experiences any environmental, operational or other changes that could affect the security of its e-PHI.

Return to HIPAA Security Home