In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), one purpose of which is to protect health information by establishing transaction standards for the exchange of health information, security standards, and privacy standards for the use and disclosure of individually identifiable health information. HIPAA applies to health care providers and employer group health plans.
The administrative simplification provisions of HIPAA have three major requirements:
HIPAA establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of protected health information in violation of HIPAA.
HIPAA contains detailed requirements for the use or disclosure of protected health information. Covered entities may only use and disclose PHI as permitted by HIPAA or more protective state rules.
UNC must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary information. For routine disclosures, this may be achieved by creating policies and procedures that limit the protected health information disclosed. For other disclosures, an individualized review will be required. When treating providers are sharing PHI for treatment purposes, this minimum necessary requirement does not apply. To ensure that only the minimum necessary PHI is used or disclosed, we will define role-based access to PHI to ensure that the right people are handling PHI in the appropriate way.
HIPAA also addresses use of protected health information for research purposes. HIPAA requires either a patient authorization or a waiver of the authorization requirement for the use, disclosure or creation of identifiable health information for research.
An authorization is not required for research using only "de-identified" data. If a researcher uses health information from which direct identifiers have been removed, then no authorization is required but the researcher must enter a data use agreement covered with the entity that holds the records. For further information, see HIPAA and research.
HIPAA addresses the need for covered entities to respect patient confidentiality when performing marketing or development activities. Consistent with current University practice, these activities should be conducted in a responsible manner and should be in accordance with HIPAA policies.
These policies apply to all individuals in any office, department or section which seeks to use PHI for marketing and fundraising purposes.
Contractors that handle protected health information while providing a function or activity for a covered component at UNC must satisfy certain HIPAA requirements. All contracts must require that contractors, called business associates in the regulations, use appropriate safeguards to prevent use or disclosure of the information other than as permitted by the contract. The University may be held responsible for the actions of its business associates if (1) it knew of a pattern of activity of the business associate that violated the contract and (2) failed to take reasonable steps to correct the problem.
The privacy rule creates five individual rights:
We are required to comply with a number of administrative requirements, including the following:
UNC is required to apply the security standards to all health information pertaining to an individual that is electronically maintained or transmitted. The security rule has not yet been issued in final form but the proposed regulation outlines the general security measures, including administrative, technical and physical safeguards. Under the proposed rules, UNC must:
© 2008 The University of North Carolina at Chapel Hill. All rights reserved.
Site maintained by the Research Compliance Program. Last revised 05/23/08.