1. Introduction

1.1. HIPAA (Health Insurance Portability and Accountability Act of 1996) is a federal law which establishes a minimum level of privacy protections related to “protected health information” (PHI). This law affords certain rights to individuals regarding their PHI and imposes obligations upon many institutions that maintain such PHI. The HIPAA law was further amended to strengthen and improve the workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities through the Health Information Technology for Economic and Clinical Health Act (HITECH Act as part of the American Recovery and Reinvestment Act of 2009) and The Final Rule or Omnibus Rule (2013). HIPAA law includes the HIPAA Privacy Rule, HIPAA Breach Notification Rule, and the HIPAA Security Rule.

1.1.1. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made without patient authorization. The Rule also gives individuals rights over their PHI, including rights to examine and obtain a copy of their health records and to request corrections.

1.1.2. The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. The Rule specifically defines what constitutes a “breach” and outlines increasing levels of required notifications based on guidelines that a covered entity or business associate must adhere to in the event of a breach.

1.1.3. The HIPAA Security Rule applies only to electronic protected health information (ePHI) and requires covered entities to implement certain administrative, physical, and technical safeguards to protect electronic health information. Similar to the Privacy Rule, covered entities must have contracts or other arrangements in place with their business associates to ensure satisfactory assurances that the business associates will appropriately safeguard the electronic PHI that they create, receive, maintain, or transmit on behalf of the covered entity.

1.2. Definitions

1.2.1. Protected Health Information (PHI) – individually identifiable health information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of a subject, the provision of health care to a subject, or the past, present, or future payment for the provision of health care to a subject and that identifies the subject, or with respect to which there is reasonable basis to believe the information can be used to identify the individual. For specifics regarding PHI, refer to ECU’s HIPAA Permitted Uses and Disclosures of Protected Health Information (PHI) rule.

1.2.2. Electronic Protected Health Information (ePHI) – individually identifiable health information which is created, received, transmitted, or maintained in electronic form.

1.2.3. Business Associate – a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. For specifics regarding a Business Associate, refer to ECU’s HIPAA Business Associate rule.

1.2.4. Health Care Component – a component of a covered entity designated by the entity that functions as a health care provider, as defined by HIPAA.

1.2.5. HIPAA System – defines any hardware, software, server, workstation, or mobile device that a health care component uses in the course of its daily functions to create, receive, transmit, or maintain ePHI.

1.2.6. Workforce member – employees, volunteers, trainees, learners, faculty, students, and other persons whose conduct in the performance of work for an ECU health care component, is under the direct control of such ECU health care component, whether or not they are paid by the ECU health care component.

2. Purpose

2.1. The purpose of this Regulation is to outline ECU’s commitment of compliance with the federal HIPAA Rules and/or any subsequent federal amendments.

3. Procedure

3.1. Policy Oversight

3.1.1. Each University rule or policy included in the HIPAA Privacy Manual and the HIPAA Security Manual is reviewed and approved through the Division of Health Sciences. Once a policy has been developed or revised by the Office of Institutional Integrity, the following committees or individuals must approve before the policy becomes an official part of the HIPAA Privacy Manual or HIPAA Security Manual:

3.1.1.1. HIPAA Steering Committee;

3.1.1.2. ECU University Counsel; and

3.1.1.3. Vice Chancellor of Health Sciences

4. Governance

4.1. This regulation applies to all East Carolina University workforce members within ECU health care components and/or support roles for a health care component. . ECU health care components consist of, but may not be limited to, the following departments or divisions within ECU: ECU Physicians Medical Faculty Practice Plan, School of Dental Medicine, Division of Student Affairs Student Health Services, School of Allied Health Speech and Language Clinic, ECU Physical Therapy Clinic at Family Medicine, and Children’s Developmental Services Agency.

4.2. HIPAA Manuals

4.2.1. The HIPAA Privacy Manual is maintained on ECU’s Office of Institutional Integrity’s website and is a compilation of East Carolina University’s HIPAA Privacy rules that provide guidance to ECU’s health care components that create, maintain, or transmit PHI. This manual includes: Use and Disclosure of PHI, patient requests, breach of unsecured health information, and miscellaneous HIPAA privacy rules and how they pertain to ECU. The HIPAA Privacy Manual also includes rules that cover the Breach Notification Rule.

4.2.2. The HIPAA Security Manual is maintained on ECU’s Office of Institutional Integrity’s website and is a compilation of East Carolina University’s HIPAA Security rules that outline the HIPAA Security Rule’s administrative, physical, and technical safeguards for ensuring the confidentiality, integrity, and availability of ePHI created, received, transmitted, or maintained by the University’s designated health care components.

4.3. All workforce members must abide by and enforce this PRR and related policies, rules, procedures, guidelines, and regulations found in the HIPAA Privacy Manual and HIPAA Security Manual maintained on ECU’s Office of Institutional Integrity’s website.

4.4. The federal rules and regulations included in this document are subject to periodic updates or amendments. Any revision to the corresponding manuals will follow the outlined policy oversight mentioned above.