Regulation on Security of Electronic Individually Identifiable Health Care Information under HIPAA

University Policy 311.6, Regulation on Security of Electronic Individually Identifiable Health Care Information under HIPAA

I. Introduction

A. This Regulation addresses The University of North Carolina at Charlotte’s obligations to comply with the security regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which require the University, its health care components, related departments and any employees, agents, business associates or assigns thereof , to protect the confidentiality, integrity and availability of individually identifiable health information created, received, transmitted or maintained, by or in electronic media form (specifically "electronic protected health information" or "ePHI").

B. This Regulation supplements the University’s existing information technology (IT) security policies, including, but not limited to University Policies 303, 304, 307, and 311, and any applicable security provisions contained in student, staff or faculty manuals. This Regulation is intended to apply to ePHI only.

II. Definitions

A. Protected Health Information (“PHI”): PHI is health information, including demographic information, created or received by the University’s health care components which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify any individual. PHI does not include individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA), and in employment records held by a covered entity in its role as employer.

B. Electronic Protected Health Information (“ePHI”): PHI that is created, received, transmitted or maintained by electronic media as data.

C. Electronic Media: Electronic media means:

  1. Electronic storage media, including but not limited to computer memory devices (i.e. hard drives), and removable or transportable digital memory medium (i.e. disk, memory card, tape);
  2. Transmission media used to exchange ePHI already in electronic storage media, which includes, but is not limited to, the Internet, extranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.
  3. Other ePHI transmissions, including transmissions by facsimile and by land-based or cellular telephone, to the extent any ePHI transmitted via these means originates or is received as data in electronic storage media.

D. Hybrid Entity: A single legal entity (1) that is a covered entity, (2) whose business concerns include both covered and non-covered functions, and (3) that designates and documents the designation as underlying health components:

    • any subdivision of the hybrid entity that would be considered a covered entity if it was a separate legal entities;
    • any subdivision to the extent that it performs covered functions; or
    • any subdivision that would be considered a business associate of a component if the two were separate legal entities.

E. Covered Health Care Components: Those units that are health care providers that engage in HIPAA electronic transactions. The University’s covered health care components are the Student Health Services, the Counseling CenterDisability Services, and the Department of Athletics, and any University research component that creates, receives, transmits or maintains ePHI. Functional units that provide support services to these covered components are also covered by this definition, including but not limited to:

  1. Internal Audit Office;
  2. The University's HIPAA Privacy Officer and HIPAA Security Officer;
  3. Other functional units that may be designated by the HIPAA Security Officer in cooperation with the General Counsel’s Office.

F. Business Associate: A person or entity that is not a part of the University’s workforce, which performs certain functions, activities, or services for the University’s covered health care components involving the creation/receipt/maintenance/transmission of ePHI.

G. Implementation Specification: Approved and documented method, either required or addressable, by which a policy standard is to be executed, and which serves as a reasonable and appropriate safeguard to protect against a reasonably foreseeable threat or hazard to the maintenance or transmission of ePHI.

III. Regulation

A. The protection of the confidentiality, integrity and availability of ePHI, as required by HIPAA, necessitates the implementation of particular safeguards for ePHI created, received, maintained or transmitted by and through electronic media.

B. As an entity containing subdivisions and components that act as health care providers and healthcare clearinghouses that create, receive, maintain and transmit ePHI, the University is considered a Hybrid Entity and, as such, subject to the security provisions in HIPAA.

C. The University is obligated under federal and state law to:

  1. Implement security measures to ensure the confidentiality, integrity and availability of all ePHI that the University creates, receives, maintains and/or transmits;
  2. Protect against any reasonably anticipated threats or hazards to ePHI;
  3. Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted under this or other University policies or state and federal law.

D. Each Covered Health Component (hereinafter “Component”) of the University, which creates, maintains, receives or transmits ePHI, will comply with the general University policies governing the security of ePHI, which are required under HIPAA. These Components and subdivisions may be delegated the authority to establish policies and procedures governing the security of ePHI, according to each one’s resources and volume of ePHI each such Component or subdivision creates, receives, maintains or transmits. Any such policies or procedures must receive prior approval by the University’s HIPAA Security Officer.

E. All implementation specifications approved by the University in connection with this Regulation are applicable to the Components, all functional units supporting the Components and/or business associates, all employees, agents, assigns, faculty, contractors and guests who have or are given access to ePHI at the risk of University sanctions and civil and/or criminal penalties. Violation of any such implementation specifications may result in applicable disciplinary measures and/or civil and/or criminal penalties.

IV. Administrative Safeguards

A. Security Responsibility: The University, as the Hybrid Entity responsible for compliance by itself and its Components with this Regulation and the underlying HIPAA statute, is fully and solely responsible for the implementation and oversight of the Policies and Procedures set forth herein. The University’s HIPAA Security Officer (hereinafter “Compliance Officer”) is hereby authorized to act as the agent of the University and is empowered to make or approve all decisions and implementations relating to the oversight of this Regulation and any successor policies. The Compliance Officer will have the final authority on all matters of security associated with the protection of ePHI. The Compliance Officer will designate individuals within the Components, and the functional units supporting the Components, as Information Security Officers (ISOs), who will act to ensure compliance with this Regulation and related University, State and Federal statutes involving the security and privacy of PHI in general and ePHI in particular within their Component. In general, the head of the Component or unit generating the ePHI will be that department’s/unit’s ISO, unless otherwise specified by the Compliance Officer.

The Compliance Officer will also designate individuals at the University to serve as the HIPAA Oversight Committee, who will advise the Compliance Officer and the ISOs on all laws applicable to PHI management. Any policies or procedures that the ISOs seek to implement for their Components or Units, must be approved by the Compliance Officer. All Business Associates will be required to designate a security overseer pursuant to the University’s Business Associate Agreement.

B. Security Management Process: The University and its Components will thoroughly assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI (Risk Analysis) and implement security measures to reasonably reduce such risks and vulnerabilities to an appropriate level (Risk Management). Each ISO will conduct regular reviews of records of information system activity, such as audits and security incident tracking reports, no less than every six months.

C. Workforce Security: Access to ePHI at appropriate locations will be granted on a “need-to-know” basis only, through storage of ePHI at a central source, accessible only at certain workstations and with protected access information, which shall be kept confidential by the authorized individuals. Access to ePHI by any individual may be terminated at any time, as deemed necessary by the Compliance Officer, ISOs, or supervisors.

D. Information Access Management: All Components and units shall implement appropriate methods to segregate and protect access to ePHI from the general University, by maintaining ePHI on servers and/or drives separate from the network and made accessible only to authorized individuals at appropriately authorized locations and through appropriately authorized methods, such as approved and individualized passwords. All policies and procedures relating to information access shall be documented, reviewed and, where appropriate, modified by the Compliance Officer at regular intervals no less than annually.

E. Security Awareness and Training: All employees, faculty and staff of the University and its Components, who are authorized access to ePHI and may create, receive, maintain and/or transmit ePHI, shall undergo periodic training and awareness programs through the Information Technology Security (hereinafter “ITS”) Department, which may include security updates, procedures for detecting, avoiding and reporting malicious software programs, log-in monitoring, use and modification of passwords and reporting discrepancies in security procedures.

F. Security Incident Procedures: The University and its Components shall maintain procedures for identifying and responding to known or suspected security incidents, which include procedures for reporting and documenting incidents. All individuals authorized access to ePHI shall be trained on such procedures and receive periodic updates and review training on procedures.

G. Contingency Plan: Control procedures must ensure that the University can recover from any damage or infiltration to computer equipment or files within a reasonable period of time. Each Component or unit is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI. This will include developing policies and procedures including the following plans:

  • Data Backup Plan: A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information, to be stored in an off-site location.
  • Disaster Recovery Plan: A disaster recovery plan must be developed and documented which contains a process enabling the Component to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. Each Component shall develop and document procedures requiring periodic testing of written contingency plans.

H. Evaluation: The University requires that periodic technical and non-technical evaluations be performed by the Compliance Officer and/or the ISOs, in cooperation with the ITS Department, in response to environmental or operational changes affecting the security of ePHI to ensure its continued protection. The evaluations will be conducted at least annually.

V. Physical Safeguards

A. Facility Access Controls: Each Component shall document and implement facility access controls to limit physical access to electronic information systems containing ePHI and the facilities in which they are housed, while ensuring that properly authorized access is allowed and all such procedures must be fully documented. Component policies and procedures must be developed to address the following access control requirements:

  1. Contingency Operations: In support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency (as per the University’s Business Continuity Plan for each covered entity).
  2. Facility Security Plan: To safeguard the facility and the equipment from unauthorized physical access, tampering, and theft.
  3. Access Control and Validation: To control and validate a person’s access to facilities based on their position or need to know, including visitor control, and control of access to software programs for testing and revision.
  4. Maintenance Records: To document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks). Anyone potentially accessing ePHI due to the maintenance or repair of hardware of software systems must sign a confidentiality agreement at the time of employment, which must be renewed periodically. For Business Associates, confidentiality statements must be signed at the time of Business Associate Agreements and any renewal(s) thereof.
B. Workstation Use: Access to workstations where ePHI is accessible will be granted on a need to know basis only, requiring approval by an immediate supervisor with the assistance of the ISO. Workstations and personal computers where ePHI is available will be secured against unauthorized individuals by use of secured locations, confidential identifications (i.e., passwords), automatic shutdowns and encryption. Laptop computers and transportable storage devices shall not be used to store or transport ePHI.

C. Workstation Security: Unique user identification (user ID) and authentication is required for all systems that maintain or access ePHI. Users will be held accountable for all actions performed on this system with their user ID.

  1. At least one of the following authentication methods must be implemented (a) strictly controlled passwords, (b) biometric identification, and/or, (c) tokens in conjunction with a PIN.
  2. The user must secure his/her authentication control (e.g. password, token) such that it is known only to that user and possibly a designated security manager.
  3. An automatic timeout re-authentication must be required after a certain period of no activity (maximum 15 minutes).
  4. The user must log off or secure the system when leaving it.

D. Device and Media Controls: Each Component must develop and implement policies and procedures (as approved by the Compliance Officer) that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of the items within the facility, including information disposal/media re-use of hard copy (paper and microfilm/fiche), magnetic media (floppy disks, hard drives, zip disks, etc), and CD ROM disks. Each Component must document the movement of hardware and electronic media and any person responsible for the equipment and create data backup and storage and the method for destroying electronic records, following a completed transfer.

E. Other Transmission Controls: At all times, except in cases of emergency, ePHI will be transmitted in hard-copy printed form, via hand delivery or postal delivery (either private or government-based). In cases of emergencies only, ePHI may be transmitted by facsimile, from land-line facsimile machines only. At no time shall ePHI be transmitted via email or other transmission methods available through the Internet or Extranet.

VI. Technical Safeguards

A. Access controls: Physical and electronic access to ePHI is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures (as described in Section V, above) will be instituted as recommended by the ISOs and ITS Department and approved by the Compliance Officer,.

B. Audit controls: Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI will be implemented by ISOs, with the approval of the Compliance Officer. Regular review of records of information system activity, such as audit logs, access reports, and security incident tracking reports, will be performed by the ISOs in cooperation with the ITS Department. These reviews must be documented and maintained for six (6) years. All breaches or attempted breaches of ePHI must be reported to the Compliance Officer immediately upon discovery. A report detailing the breach or attempted breach must include location, time, date, whether or not a breach occurred, what data was violated, the extent of the violation, and what measures are needed to remedy to situation.

C. Integrity: Mechanisms to authenticate ePHI and corroborate that the information has not been altered or destroyed will be implemented where appropriate by the ITS Department on the recommendation of the Compliance Officer or ISOs.

D. Entity Authentication: User identification will be required at all accessible workstations by use of passwords and/or identification numbers.

E. Transmission Security: Mechanisms to allow encryption of ePHI will be implemented where appropriate by the ITS Department on the recommendation of the Compliance Officer or ISOs.

VII. Business Associate Contracts

A. The University or one of its Components may enter a contract with an outside entity to perform or facilitate activities involving the creation, receipt, transmission or maintenance of ePHI, only if the Business Associate provides satisfactory assurances via an approved Business Associate contract that it will appropriately safeguard all University ePHI to which the Business Associate, its employees, agents, contractors and assigns receive access, and if an individual to act as a security overseer within the business associate is identified

B. The standard set forth in Section VII.A will not apply to:

1. transmission of ePHI to another health care provider relating to the treatment of an individual; or
2. transmission of ePHI to a group health plan sponsor or insurance issuer, to the extent the sponsor or issuer has provided adequate assurances that it is in compliance with the HIPAA security regulations.

C. The University or its Components shall terminate any contract, involving ePHI access and use, with a Business Associate, when it is learned actions of the Business Associate constituted a material breach or violation under the contract, and failed to take reasonable steps to cure the breach or end the violation upon request of the University or its Component. If termination of the contract is not feasible and if the breach or violation cannot be cured or ended, the Compliance Officer will report the problem to the Secretary.

D. The Business Associate contracts in use by the University and its Components and its Business Associates will require the implementation by the Business Associate and its employees, agents, contractors and assigns, of reasonable and adequate administrative, physical and technological safeguards to appropriately protect the confidentiality, integrity and availability of University’s ePHI created, maintained, received or transmitted by the business associate. The contracts will require that the Business Associate report a security incident to the Component or the Compliance Officer within ten (10) calendar days of becoming aware of such incident. The contracts will contain a provision authorizing immediate termination upon the University’s determination that the contract has been materially breached or otherwise violated. They will further comply to the extent reasonable and appropriate with the remaining requirements set forth in 45 CFR Sec. 164.314 (a)(2).

VIII. Group Health Plans

A. To the extent that any Component subject to this Regulation undertakes to provide services equivalent to or identical to those services provided by a group health plan, it will reasonably and appropriately safeguard any ePHI generated pursuant to its activities as a health plan.

B. The Component acting as a health plan will implement administrative, physical and technical safeguards compliant with this Regulation to protect the confidentiality, integrity and availability of all ePHI, including ePHI relating to the past, present and future payment for and billing of medical and/or psychological treatment provided to an individual by virtue of his or her receiving health plan benefits through the Component.

C. The Component acting as a health care plan will ensure all employees, agents, contractors, Business Associates or assigns will agree to implement reasonable and appropriate security measures, commensurate with the terms of this Regulation.

IX. Documentation

A. All policies and procedures enacted by the University in accordance with the HIPAA Security Rule and in conjunction with this Regulation, and all activities, actions and assessments required to be documented shall be maintained in written form. The documentation may be in electronic form.

B. All documentation required under this Section IX shall be made available to those persons responsible for implementing the pertinent procedures.

C. All documentation required under this Section IX shall be maintained a minimum of six (6) years from the date of its creation or whenever it was last in effect.

D. The University and its Components may change its policies and procedures at any time, as long as such policies and procedures are

  1. in compliance with the HIPAA Security Rule and this Regulation,
  2. approved by the Compliance Officer, and
  3. maintained in documented form in accordance with this provision.

E. All documentation will be subject to periodic reviews and updates, as necessitated by environmental or operational changes effecting ePHI.

X. Sanctions

A. Breaches of privacy or security of PHI or ePHI are to be reported immediately to the Compliance Officer.

B. Components must mitigate, to the extent practicable, any known harmful effects of the use or disclosure of PHI or ePHI in violation of this Regulation or the requirements of HIPAA.

C. Any University employee, agent, assign or contractor who is in violation of this Regulation is subject to disciplinary action up to and including discharge in accordance with applicable University policies and procedures. Individuals may also be subject to civil and criminal penalties under HIPAA.

Revision History: 

initially approved May 30, 2005