The privacy, security and breach notification requirements of the Federal Health Insurance Portability and Accountability Act of 1996 has had associated expansion of federal regulations in the last decade (collectively referred to as HIPAA). It applies to health information created or maintained by health care providers who engage in certain electronic transactions, health plans and health care clearinghouses.

The university is responsible for ensuring both HIPAA-related Electronic Protected Health Information (ePHI) and any individually identifiable health information not subject to HIPAA is secure from unauthorized disclosure. Both ePHI and other personal health information should be accorded the same additional information technology controls.

To ensure technical safeguarding of ePHI remains consistent, Technology Services will require additional controls such as:

• ePHI Encryption and Decryption Control
• ePHI Audit Log Requirements Control
• ePHI Information System Activity Review Control
• ePHI Security Incident Procedures Control
• Inadvertent Disclosure of ePHI Information via Email
• ePHI Secure Email Transmission Control
• Role Based Access and Access Annual Review Control
• Mobile Device Management