Data Security: Policies and Regulations Impacting Research Data

Security considerations in managing sensitive data.

What Is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act.  It provides federal protections for personal health information held by covered entities (in this case UNC).  HIPAA gives patients rights in respect to this information.  The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of electronic protected health infromation or e-PHI. The security rule is designed to be flexible and scalable so a covered entity can implement policies, procedures and technologies that are appropriate for the entity's particular size, organizational structure, and risks to consumers.

What Are UNC's Responsibilities?

As a covered entity UNC has a responsibility to protect e-PHIs.  This includes the following:

  • Ensure the confidentiality, integrity, and availibility of all e-PHI records created, recieved, maintained or transmitted.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated impermissable uses or disclosures.
  • Ensure compliance by the UNC workforce.

UNC HIPAA Training Resources

How Should Data Be Secured?

  • Follow campus security policies.
  • Conduct and update risk assesments of systems and data.
  • Keep good records of what is protected.
  • Store data on a centrally managed server.
  • Encrypt the laptops and workstations that process sensitive data.
  • Put server behind an SOM or ITS firewall.
  • Use encryption technology on data (Such as PGP Netshare, or TrueCrypt)