Skip to Main Content

Office of Mental Health

Information for Counties and Providers
HIPAA Security Rule

The OMH views the security of protected health information as an integral part of assuring its privacy. The following introduction from the security policy best captures this responsibility.

1.1 General Statement of Information Security Policy

Information is among the most valuable assets of the New York State Office of Mental Health (OMH) and OMH relies upon information to support its business activities. The preservation and retention of OMH information is critical to the agency's ability to provide mental health services to the citizens of the State and to fulfill its statutory responsibilities. Therefore, the security of OMH information and of the technology that facilitates its use is a responsibility shared by the entire OMH workforce. Each authorized user of or person who has access to OMH information has an obligation to preserve and protect OMH information assets in a consistent and reliable manner. Security controls, such as those set forth in this Policy, provide the necessary physical and procedural safeguards to accomplish such obligations.

Information security management enables information to be shared while ensuring protection of that information and associated systems. OMH executives and managers, together with information technology (IT) personnel, are responsible for ensuring that appropriate controls are in place to maintain the security objectives of confidentiality, integrity, and availability for OMH information assets; however, every person with access to information is responsible for compliance with any and all security measures as a condition of being granted such access.

To protect OMH Information, and in particular Patient Information (or 'Protected Health Information [PHI]), the OMH must comply with a variety of legislation and regulations at both the Federal (e.g. HIPAA, 45 C.F.R Parts 160, 165) and State levels (e.g. Mental Hygiene Law Sections 33.13 & 33.16, and Public Health Law Section (Article 27-F)).

The HIPAA security rule is the basis for OMH in developing its security policy and standards. The HIPAA security standards require health care entities to protect electronic patient information from improper access or alteration, and guard against loss of records. Specifically, the standards require that covered entities - health care providers, health plans and clearing houses that transmit patient information electronically - assess the potential risks and vulnerabilities to patient data in their work place and develop, implement and maintain appropriate security measures to safeguard it. The standards do not specify a specific technology or computer application, nor do they mandate a particular set of electronic security features or measures. In other words, HIPAA is technology-neutral. Instead, each covered entity is required to:

  1. evaluate its information security risks
  2. Devise and implement appropriate risk management measures. These risk management measures must be documented and kept current

Key Security provisions in summary:

The security requirements can be broadly grouped into three categories: administrative safeguards, physical safeguards, and technical safeguards. Each of the three categories entails a list of common practices and/or procedures particular to that category, as follows:

  1. Administrative safeguards - these are documented, formal practices to manage the selection and execution of security measures to protect patient data and the conduct of personnel in relation to the protection of the data, including:
    • Assigned Security Responsibility
    • Business Associate Contracts and Arrangements
    • Contingency Plan
    • Evaluation - Technical/Non-technical
    • Information Access Management
    • Security Incident Procedures
    • Security Management Process
    • Security Awareness and Training
    • Workforce Security
  2. Physical safeguards to guard the integrity, confidentiality and availability of patient data - these relate to the protection of the physical computer systems and associated buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. Physical safeguards also cover the use of locks, keys and administrative measures used to control access to computer systems and facilities, including policies or guidelines on:
    • Device and Media Controls
    • Facility Access Controls
    • Workstation Security
    • Workstation Use

    Technical safeguards which include the processes that are put in place to protect and to control and monitor information access including:

    • Access Control
    • Audit Controls
    • Integrity
    • Person or Entity Authentication
    • Transmission Security