The Texas Advanced Computing Center (TACC) is committed to implement measures to protect privacy consistent with the university mission and environment, applicable legal requirements and professional standards, generally accepted privacy norms, and available resources. The provisions of this policy include the implementation of the following required components and documented policies and procedures.
This policy applies to all personnel, regardless of affiliation, who create, access or store Protected Health Information ("PHI") at TACC designated for purposes of complying with the final provisions of the security and privacy rules regulated by the Health Insurance Portability and Accountability Act (HIPAA).
TACC will also comply to the University of Texas at Austin (UTA), Minimum Security Standard for Systems with HIPAA Data.
Notice of Privacy Practices
- TACC shall maintain a Notice of Privacy Practices that explains how they use and disclose protected data.
- The notice shall be written in plain language and shall include the terms required by HIPAA.
- TACC may not use or disclose PHI in violation of the Notice.
- TACC maintains administrative and physical safeguards for protected data information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of HIPAA.
- TACC shall reasonably safeguard protected health information to limit incidental uses or disclosures.
- TACC shall limit the protected health information access, used or disclosed to the minimum necessary to accomplish their goal.
- TACC shall periodically complete a Risk Analysis as required under the HIPAA Security Rule.
- TACC shall use the risk analysis to determine a Risk Management plan.
- TACC shall ensure all TACC staff who may use mobile devices to access PHI understand their responsibilities.
- TACC shall implement written policies and procedures to ensure these safeguards are in place.
- TACC shall train each new member of TACC Staff within a reasonable period of time (based on their role) after the person joins the workforce, but no longer than 90 days from the initial employment date.
- TACC shall require all TACC staff members to complete HIPAA Privacy and Security Training on an annual basis.
- TACC shall also train each member of TACC staff whose functions are affected by a material change in the policies or procedures, within a reasonable period of time after the material change becomes effective.
Limited Data Set
TACC shall only accept data in the form of a limited data set when possible for the purposes of research.
TACC shall follow the University of Texas at Austin (UTA) disciplinary policies.
- University of Texas Austin Minimum Security Standards for HIPAA Data. https://security.utexas.edu/iso-policies/minimum-security-standards-hipaa-data
- The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html
- The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html
- Health Information Technology Act (HITECH) http://www.healthit.gov/sites/default/files/hitech_act_excerpt_from_arra_with_index.pdf
- Title 45 of the Code of Federal Regulations (CFR) http://www.ecfr.gov/cgi-bin/text-idx?mc=true&tpl=/ecfrbrowse/Title45/45cfrv1_02.tpl#0