HIPAA

home

 The University of North Carolina at Chapel Hill
 

 
 

  Office of Civil Rights HIPAA page

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), one purpose of which is to protect health information by establishing transaction standards for the exchange of health information, security standards, and privacy standards for the use and disclosure of individually identifiable health information. HIPAA applies to health care providers and employer group health plans.

The administrative simplification provisions of HIPAA have three major requirements:

  1. Protection for the privacy of Protected Health Information

  2. Protection for the security of Protected Health Information

  3. Standardization of electronic data interchange in health care transactions

Penalties

HIPAA establishes both civil monetary penalties and federal criminal penalties for the knowing use or disclosure of protected health information in violation of HIPAA.

Privacy Requirements

1. Rules Concerning the Use and Disclosure of Protected Health Information

HIPAA contains detailed requirements for the use or disclosure of protected health information. Covered entities may only use and disclose PHI as permitted by HIPAA or more protective state rules.

2. Minimum Necessary

UNC must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary information. For routine disclosures, this may be achieved by creating policies and procedures that limit the protected health information disclosed. For other disclosures, an individualized review will be required. When treating providers are sharing PHI for treatment purposes, this minimum necessary requirement does not apply. To ensure that only the minimum necessary PHI is used or disclosed, we will define role-based access to PHI to ensure that the right people are handling PHI in the appropriate way.

3. Research

HIPAA also addresses use of protected health information for research purposes. HIPAA requires either a patient authorization or a waiver of the authorization requirement for the use, disclosure or creation of identifiable health information for research.

An authorization is not required for research using only "de-identified" data. If a researcher uses health information from which direct identifiers have been removed, then no authorization is required but the researcher must enter a data use agreement covered with the entity that holds the records.  For further information, see HIPAA and research.

4. Marketing and Fundraising

HIPAA addresses the need for covered entities to respect patient confidentiality when performing marketing or development activities. Consistent with current University practice, these activities should be conducted in a responsible manner and should be in accordance with HIPAA policies.

These policies apply to all individuals in any office, department or section which seeks to use PHI for marketing and fundraising purposes.

5. Business Associates

Contractors that handle protected health information while providing a function or activity for a covered component at UNC must satisfy certain HIPAA requirements. All contracts must require that contractors, called business associates in the regulations, use appropriate safeguards to prevent use or disclosure of the information other than as permitted by the contract. The University may be held responsible for the actions of its business associates if (1) it knew of a pattern of activity of the business associate that violated the contract and (2) failed to take reasonable steps to correct the problem.

6. Individual Rights

The privacy rule creates five individual rights:

  1. Right to a notice of a covered entity’s privacy practices.

  2. Right to request restrictions and confidential communications concerning protected health information.

  3. Right to obtain access to protected health information for inspection and copying.

  4. Right to obtain an accounting of certain disclosures.

  5. Right to request amendment of protected health information.

7. Administrative Requirements

We are required to comply with a number of administrative requirements, including the following:

  1. Designation of a privacy official responsible for development of policies and procedures for the use and disclosure of protected health information.

  2. Implementation of an internal complaint process to handle complaints relating to privacy rules and to explain privacy procedures.

  3. Workforce training by the compliance date (for privacy standards, this is April 14, 2003).

  4. Implementation of administrative, technical and physical safeguards to protect the confidentiality and integrity of PHI.

  5. Development and enforcement of sanctions for failure to comply with policies and procedures.

  6. Development of procedures to mitigate adverse effects of a prohibited use or disclosure.

  7. Development and enforcement of policy prohibiting retaliation against a person for exercising individual rights or filing a complaint.

Security Requirements

UNC is required to apply the security standards to all health information pertaining to an individual that is electronically maintained or transmitted. The security rule has not yet been issued in final form but the proposed regulation outlines the general security measures, including administrative, technical and physical safeguards. Under the proposed rules, UNC must:

  • Assign responsibility for security to a person or organization.

  • Assess security risks and determine the major threats to the security and privacy of protected health information.

  • Establish a program to address physical security, personnel security, technical security controls, security incident response and disaster recovery.

  • Certify the effectiveness of security controls.

  • Develop policies, procedures and guidelines for use of personal computing devices (workstations, laptops, hand-held devices), and for ensuring mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual's status, change of status or termination.

  • Implement access controls that may include encryption, context-based access, role-based access, or user-based access; audit control mechanisms, data authentication, and entity authentication.

  © 2008 The University of North Carolina at Chapel Hill.  All rights reserved.

Site maintained by the Research Compliance Program.  Last revised 05/23/08.