HIPAA Security Frequently Asked Questions

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law by President Bill Clinton on August 21, 1996.  HIPAA’s main goal was to ensure the portability of health insurance benefits particularly as individuals moved from job to job.  However, within this law a subtitle was created entitled the Administrative Simplification Act, with three additional goals:

Simplify the administration and processing of health data by implementing industry-wide standards for transmitting certain health and related financial information;

Create standards to ensure the privacy and security of health information that is transmitted or stored electronically; and

Reduce the costs and administrative overhead of processing health and related financial information.

Goal number two above deals with the security rule. For additional information on HIPAA Privacy, please refere back to the Home Page.

The Privacy Rule sets the standards for how protected patient health information should be controlled. The Security Rule defines the standards which require covered entities to implement basic safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (EPHI). Privacy depends upon security measures: no security, no privacy.

^top

What is a covered entity?

A covered entity is any healthcare provider and their business associate who stores, maintains or transmits any health information in electronic form. All covered entities must comply with the Security Rule.

^top

What is protected health information?

Protected Health Information (a.k.a. PHI) is any oral or recorded information relating to any past, present, or future, physical or mental health of an individual, provision of health care to the individual, or the payment of the healthcare of the individual.

^top

What does HIPAA mean by electronic media?

Electronic storage media including memory in computers, (hard drives) and any removable/transportable digital memory medium such as magnetic tapes or disk, optical disk, memory card, or transmission media used to exchange information (internet, leased lines, dial-up, intranets, private networks).

^top

Does the HIPAA Security Rule apply to written and oral communications?

The HIPAA Security Rule applies to data in electronic form.

^top

Why do I need to know about HIPAA Security?

The Security Rule requires that all workforce members are trained on HIPAA security issues if they access computers that contain EPHI. This training will help to assist you in protecting the confidentiality, security and integrity of EPHI. We all have certain responsibilities in implementing safeguards and actions to protect EPHI. This training is required annually under the HIPAA guidelines for all workforce members.

^top

Where are our policies and implementation standards located?

HIPAA Privacy and Security Policies and Standards for system administrators and owners can be accessed at www.ecu.edu/cs-dhs/hipaa/security/intranet/policies-standards . Your PirateID and passphrase are required to access the Security Policies and Standards. Healthcare computing system administrators and owners are responsible for reviewing and adhering to all of the HIPAA Security Policies and Standards on this site. All other workforce members are responsible for reviewing and adhering to the HIPAA Security Applicable Use Policy.

^top

What are workforce members?

Workforce members are employees (i.e. faculty, staff, temporary staff, etc.), students (i.e. residents, house staff, etc.), volunteers and other persons directly affiliated with the University.

^top

How will we know if our organization and our systems are compliant with the HIPAA Security Rule’s requirements?

Adherence to the HIPAA Security Policies and Standards will assist healthcare computing systems in becoming compliant. Compliance is not a one-time goal; it must be achieved and maintained. Healthcare computing systems administrators or owners must submit that system name to the HIPAA Privacy officer (Anthony Bartholomew). The Privacy officer will arrange for an assessment of that system by an IT representative to gage the level of HIPAA compliancy. The results of that assessment will determine the level of compliancy. Each healthcare computing system will need to implement policies and procedures as specified in the assessment to move them toward HIPAA compliancy. Once policy and procedures are implemented and documented, IT Security will issue a report stating the level of compliancy of the healthcare system. It is the responsibility of the healthcare computing system to implement changes to satisfy the HIPAA Security rule. It also the healthcare computing system administrator or owner responsibility to periodically assess their systems to ensure that HIPAA Security compliance is maintained.

^top

What is a healthcare computing system?

A healthcare computing system is defined as a device or group of devices that store EPHI which is shared across the network and accessed by healthcare workers.

^top

Can electronic protected health information (EPHI) be emailed?

Do not send EPHI over email unless (a) you send the email from your account on the university’s enterprise email system to another account on the enterprise email system or (b) you send email to locations outside of the enterprise email system and you have taken appropriate safeguards to prevent unauthorized access to the enclosed EPHI. Sending email external to the university’s enterprise email puts the EPHI at jeopardy to exposure to external sources.

^top

What is a system vulnerability?

A system vulnerability is a flaw or weakness in a system, due to its design, installation, lack of policies and procedures, or some other cause. Any of these weaknesses, whether intentional or accidental, could potentially result in a breach or inappropriate use or disclosure of electronic PHI. Some vulnerabilities may be caused by ineffective policies regarding user or log on IDs and passwords, holes or weaknesses in some of the software tools, or flaws in the operating system, application or inadequate access controls.

^top

How does the Security Rule mandate how EPHI should be protected?

The Security Rule mandates flexible and scalable administrative, physical and technical safeguards that outline technologies, policies, standards and procedures that should be put in place to ensure adequate ongoing protection of EPHI. These safeguards are based upon information security best practices.

^top

How do I obtain HIPAA Security Training?

The Security training for healthcare workforce members is available as part of the yearly HIPAA required training. Check the HIPAA Security Training page for details. The Security training for healthcare systems administrators and owners is available through signup in OneStop. Select the HIPAA Security Rule Training for Systems Administrators under University Training.

^top

What is the penalty for not complying with the HIPAA Security Rule?

HIPAA provides for civil and criminal penalties for failing to comply with security rule. How the penalties are enforced and the degree to which they are enforced is based on the actions of a covered entity took as soon as they became aware of violations involving the security rule. This means that we have to make a good faith effort to adhere to requirements in the security rule. The consequences for criminal violations of the HIPAA Security Rule may include fines of up to $250,000 and imprisonment.

^top