Data Security: Policies and Regulations Impacting Research Data: HIPAA Requirements

HIPAA stands for Health Insurance Portability and Accountability Act.  It provides federal protections for personal health information held by covered entities (in this case, UNC).  HIPAA gives patients rights in respect to this information.  The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of electronic protected health information or e-PHI. The Security Rule is designed to be flexible and scalable so a covered entity like UNC can implement policies, procedures and technologies that are appropriate for its particular size, organizational structure, and risks to consumers.

As a covered entity UNC has a responsibility to protect e-PHIs.  This includes the following:

• Ensure the confidentiality, integrity, and availibility of all e-PHI records created, recieved, maintained or transmitted.
• Identify and protect against reasonably anticipated threats to the security or integrity of the information.
• Protect against reasonably anticipated impermissable uses or disclosures.
• Ensure compliance by the UNC workforce.

• Follow campus security policies.
• Conduct and update risk assessments of systems and data.
• Keep good records of what is protected.
• Store data on a centrally managed server.
• Encrypt the laptops and workstations that process sensitive data.
• Put server behind a SOM or ITS firewall.
• Use encryption technology on data (Such as PGP Netshare, or TrueCrypt)

<Previous   Next>