Since the primary data center opened about 5 years ago, Information Technology Services (ITS) had a number of cabinets with card readers to secure health information protected by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was enacted in 1996 and addresses the security and privacy of health information.
The University Data Center (UDC) organization achieved a significant milestone last week, when the Information Security Office (ISO) gave HIPAA Security Physical Compliance Approval for the entire primary production data center. All customers who use the data center can rest assured that all compliance procedures–physical and security measures–as well as training to store HIPAA data on premises are in place.
Exhaustive physical security and procedural audits were performed. Remediation had to be completed and vulnerabilities mitigated before the ISO would be able to approve the data center as HIPAA compliant. After ISO reviewed and approved we had met all requirements, UT Austin attorney in Legal Affairs, Jeff Graves, reviewed the audit and agreed that the primary data center can now be designated as HIPAA approved.
Special thanks to Brad Fawver, who led this effort; Ron Williams and his team, who worked to improve and harden many of the locks and doors around that site; and to everyone who completed the required HIPAA training. Over the course of the past year almost everyone on the UDC team contributed to this effort. Congratulations on a job well done, and thank you for all your hard work to help us reach this goal!
Now that the entire primary data center is HIPAA-approved for systems that contain health information, it’s time to look to the future. Within the next year, all other data centers managed by ITS will be brought up to the same level of compliance and will become HIPAA approved. ITS is committed to continually improvement of physical security on campus data centers and network operating centers to maintain the safety of University data.
As Cyber Security Awareness Month (CSAM) approaches in October it is good to remember that physical security is also a vital component for protecting data and meeting a variety of compliance and policy requirements and standards.