The Privacy Rule sets the standards for how protected patient health information should be controlled. The Security Rule defines the standards which require covered entities to implement basic safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). Privacy depends upon security measures: no security, no privacy.
A covered entity is any healthcare provider and their business associate who stores, maintains or transmits any health information in electronic form. All covered entities must comply with the Security Rule.
Protected Health Information (a.k.a. PHI) is any oral or recorded information relating to any past, present, or future, physical or mental health of an individual, provision of health care to the individual, or the payment of the healthcare of the individual.
Electronic storage media including storage in computers (hard drives), and any removable/transportable digital memory medium such as magnetic tapes or disk, optical disk, memory card, or transmission media used to exchange information (internet, leased lines, dial-up, intranets, private networks).
Health information that is stored on a computer or transmitted across computer networks, including the Internet, is vulnerable to and must be protected from:
The Security Rule requires covered entities to assess their exposure to these and other threats.
Do not send ePHI over email unless (a) you send the email from your account on the university’s enterprise email system to another account on the enterprise email system or (b) you send email to locations outside of the enterprise email system and you have taken appropriate safeguards to prevent unauthorized access to the enclosed ePHI. Sending email external to the university’s enterprise email puts the ePHI at jeopardy to exposure to external sources.
Encryption is a technique for transforming information in such a way that it becomes unreadable. This means that even if a hacker is able to gain access to a computer that contains ePHI, they will not be able to read or interpret this information. For encryption options at ECU, visit IT Security's data encryption page.
The Security Rule mandates flexible and scalable administrative, physical and technical safeguards that outline technologies, policies, standards and procedures that should be put in place to ensure adequate ongoing protection of ePHI. These safeguards are based upon information security best practices.
Yes, the Office of Civil Rights of the Department of Health and Human Services has implemented a nationwide HIPAA Audit Program as a part of the HITECH Act of 2009. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. The audit will include a site visit and result in an audit report. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem.
HIPAA provides for civil and criminal penalties for failing to comply with security rule. How the penalties are enforced and the degree to which they are enforced is based on the actions of a covered entity took as soon as they became aware of violations involving the security rule. This means that we have to make a good faith effort to adhere to requirements in the security rule. The consequences for criminal violations of the HIPAA Security Rule may include fines of up to $1.5 million and imprisonment.
The complete text of the Federal regulation can be accessed from the U.S. Department of Health and Human Services website.