East Carolina University HIPAA Regulation

Updated: September 19, 2024
Policy:
REG12.60.26
Title:
East Carolina University HIPAA Regulation
Category:
Health Affairs
Sub-category:
Health Affairs Matters - General
Authority:
Chancellor
History:

Approved to post November 1, 2019. Updated September 19, 2024.
Contact:

Office of Institutional Integrity, (252) 744-5200
Related Policies:
Additional References:

1. Introduction

  • HIPAA (Health Insurance Portability and Accountability Act of 1996) is a federal law which establishes a minimum level of privacy protections related to “protected health information” (PHI). This law affords certain rights to individuals regarding their PHI and imposes obligations upon many institutions that maintain such PHI. The HIPAA law was further amended to strengthen and improve the workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities through the Health Information Technology for Economic and Clinical Health Act (HITECH Act as part of the American Recovery and Reinvestment Act of 2009) and The Final Rule or Omnibus Rule (2013). HIPAA law includes the HIPAA Privacy Rule, HIPAA Breach Notification Rule, and the HIPAA Security Rule.
    • 1.1.1. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.  The rule applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made without patient authorization. The Rule also gives individuals rights over their PHI, including rights to examine and obtain a copy of their health records and to request corrections. Covered entities that engage business associates to work on their behalf must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information and use and disclose the information only as permitted or required by the Privacy Rule.
    • 1.1.2. The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. The Rule specifically defines what constitutes a “breach” and outlines increasing levels of required notifications based on guidelines that a covered entity or business associate must adhere to in the event of a breach.
    • 1.1.3. The HIPAA Security Rule applies only to electronic protected health information (ePHI) and requires covered entities to implement certain administrative, physical, and technical safeguards to protect electronic health information. Similar to the Privacy Rule, covered entities must have contracts or other arrangements in place with their business associates to ensure satisfactory assurances that the business associates will appropriately safeguard the electronic PHI that they create, receive, maintain, or transmit on behalf of the covered entity.
  • 1.2. Definitions
    • 1.2.1. Protected Health Information (PHI) – individually identifiable health information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of a subject, the provision of health care to a subject, or the past, present, or future payment for the provision of health care to a subject and that identifies the subject, or with respect to which there is reasonable basis to believe the information can be used to identify the individual. For specifics regarding PHI, refer to ECU’s HIPAA Permitted Uses and Disclosures of Protected Health Information (PHI) rule.
    • 1.2.2. Electronic Protected Health Information (ePHI) – individually identifiable health information which is created, received, transmitted, or maintained in electronic form.
    • 1.2.3. Business Associate – a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. For specifics regarding a Business Associate, refer to ECU’s HIPAA Business Associate rule.
    • 1.2.4. Health Care Component – a component of a covered entity designated by the entity that functions as a health care provider, as defined by HIPAA. For clarity, health care providers and practices operating as part of the joint enterprise of ECU Health are not health care components of ECU and are instead a part of the Affiliated Covered Entity “ECU Health” and subject to the ECU Health HIPAA policies.
    • 1.2.5. HIPAA System – defines any hardware, software, server, workstation, or mobile device that a health care component uses in the course of its daily functions to create, receive, transmit, or maintain ePHI.
    • 1.2.6. Workforce member – employees, volunteers, trainees, learners, faculty, students, and other persons whose conduct in the performance of work for an ECU health care component, is under the direct control of such ECU health care component, whether or not they are paid by the ECU health care component.

2. Purpose

  • 2.1. The purpose of this Regulation is to outline ECU’s commitment of compliance with the federal HIPAA Rules and/or any subsequent federal amendments.

3. Procedure

  • 3.1. Policy Oversight
    • 3.1.1. Once a HIPAA policy or rule has been developed or revised by the Office of Institutional Integrity, the ECU HIPAA Privacy Officer and the General Counsel/Vice Chancellor for Legal Affairs must approve before the policy/rule becomes an official part of the HIPAA Privacy or Security Manual.

4. Governance

  • 4.1. This regulation applies to all East Carolina University workforce members within ECU health care components and/or support roles for a health care component. ECU health care components consist of, but may not be limited to, the following departments or divisions within ECU: School of Dental Medicine, Division of Student Affairs Student Health Services, College of Allied Health Sciences, and College of Nursing.
  • 4.2. HIPAA Manuals
    • 4.2.1. The HIPAA Privacy Manual is maintained on ECU’s Office of Institutional Integrity’s website and is a compilation of East Carolina University’s HIPAA Privacy rules that provide guidance to ECU’s health care components that create, maintain, or transmit PHI. This manual includes: Use and Disclosure of PHI, patient requests, breach of unsecured health information, and miscellaneous HIPAA privacy rules and how they pertain to ECU. The HIPAA Privacy Manual also includes rules that cover the Breach Notification Rule.
    • 4.2.2. The HIPAA Security Manual is maintained on ECU’s Office of Institutional Integrity’s website and is a compilation of East Carolina University’s HIPAA Security rules that outline the HIPAA Security Rule’s administrative, physical, and technical safeguards for ensuring the confidentiality, integrity, and availability of ePHI created, received, transmitted, or maintained by the University’s designated health care components.
  • 4.3. All workforce members must abide by and enforce this PRR and related policies, rules, procedures, guidelines, and regulations found in the HIPAA Privacy Manual and HIPAA Security Manual maintained on ECU’s Office of Institutional Integrity’s website. ECU employees working as part of the joint enterprise ECU Health must abide by and enforce the HIPAA policies of the ECU Health Affiliated Covered Entity.
  • 4.4. The federal rules and regulations included in this document are subject to periodic updates or amendments. Any revision to the corresponding manuals will follow the outlined policy oversight mentioned above.