Security Frequently Asked Questions

What is the difference between the HIPAA Privacy and Security Rules?

The Privacy Rule sets the standards for how protected patient health information should be controlled. The Security Rule defines the standards which require covered entities to implement basic safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). Privacy depends upon security measures: no security, no privacy.

What is a covered entity?

A covered entity is any healthcare provider and their business associate who stores, maintains or transmits any health information in electronic form. All covered entities must comply with the Security Rule.

What is protected health information?

Protected Health Information (PHI) is any oral or recorded information relating to any past, present, or future, physical or mental health of an individual, provision of health care to the individual, or the payment of the healthcare of the individual.

What does HIPAA mean by electronic media?

Electronic storage media including storage in computers (hard drives), and any removable/transportable digital memory medium such as magnetic tapes or disk, optical disk, memory card, or transmission media used to exchange information (internet, leased lines, dial-up, intranets, private networks).

What are some examples of security threats that covered entities face today?

Health information that is stored on a computer or transmitted across computer networks, including the Internet, is vulnerable to and must be protected from:

  • Hacker and disgruntled employee abuse
  • Untrained personnel mishandling
  • Exploitation by people not having a “need to know”
  • Unplanned system outages
  • Burglary and theft
  • Fire, flood, and other disasters

The Security Rule requires covered entities to assess their exposure to these and other threats.

Can electronic protected health information (ePHI) be emailed?

Do not send ePHI over email unless (a) you send the email from your account on the university’s enterprise email system to another account on the enterprise email system or (b) you send email to locations outside of the enterprise email system and you have taken appropriate safeguards to prevent unauthorized access to the enclosed ePHI. Sending email external to the university’s enterprise email puts the ePHI at jeopardy to exposure to external sources.

What is encryption?

Encryption is a technique for transforming information in such a way that it becomes unreadable. This means that even if a hacker is able to gain access to a computer that contains ePHI, they will not be able to read or interpret this information. For encryption options at ECU, visit IT Security’s data encryption page.

How does the Security Rule mandate how ePHI should be protected?

The Security Rule mandates flexible and scalable administrative, physical and technical safeguards that outline technologies, policies, standards and procedures that should be put in place to ensure adequate ongoing protection of ePHI. These safeguards are based upon information security best practices.

Are audits performed to verify compliance with the HIPAA rules?

Yes, the Office of Civil Rights of the Department of Health and Human Services has implemented a nationwide HIPAA Audit Program as a part of the HITECH Act of 2009. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. The audit will include a site visit and result in an audit report. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem.

What is the penalty for not complying with the HIPAA Security Rule?

HIPAA provides for civil and criminal penalties for failing to comply with security rule. How the penalties are enforced and the degree to which they are enforced is based on the actions of a covered entity took as soon as they became aware of violations involving the security rule. This means that we have to make a good faith effort to adhere to requirements in the security rule. The consequences for criminal violations of the HIPAA Security Rule may include fines of up to $1.5 million and imprisonment.

Where can I find the documented final Security Rule?

The complete text of the Federal regulation can be accessed from the U.S. Department of Health and Human Services website.