HIPPA, Personal Health Information (PHI) and Confidential Data
HIPPA, Personal Health Information (PHI) and Confidential Data
SOP members working with HIPAA, Personal Health Information (PHI) or Confidential data that is protected by HIPAA regulations, as part of their duties in the School of Pharmacy , will be required to meet with ITSOP. The meeting will assess how to best protect the data from compromise. Users should request a meeting with ITSOP by emailing itsop@unc.edu as early in the process as possible.
It is the opinion of ITSOP that the current campus network security environment does not provide adequate security for working on PHI or HIPAA data.( 08/07) ITSOP has begun the process of creating a secure local network environment for such data. The lack of adequate network security may require that additional steps be taken above and beyond those mandated by HIPAA. If possible, researchers should request that data be sent to them already de-identified by the supplier.
As summarized below, a number of federal and state laws may also apply (including HIPAA) to information collected and maintained by University employees. Please direct questions regarding the applicability of these laws and other potential legal issues to ITSOP or the UNC Office of General Counsel.
Click here to read the SOP HIPAA Policy
Click here to read the SOP Data Destruction Policy
Computer Fraud and Abuse Act (CFAA)
Enacted in 1984 (and revised in 1994), the CFAA criminalizes unauthorized access to a “protected computer” with the intent to defraud, obtain any information of value or cause damage to the computer. Under the CFAA, a “protected computer” is defined as a computer that is used in interstate or foreign commerce or communication or that is used by or for a financial institution or the government of the United States. For example, the act of “hacking” into a secure web site from an out-of-state computer may violate the CFAA
Electronic Communications Privacy Act (ECPA)
Enacted in 1986, the ECPA broadly prohibits (and makes criminal) the unauthorized use or interception of the contents or substance of wire, oral or electronic communications. In addition, the ECPA prohibits unauthorized access to or disclosure of electronically stored communications or information. Such prohibitions may apply to University employees who willfully exceed the scope of their duties or authorizations by accessing certain databases housed within the University system. The ECPA does not, however, prohibit the University from monitoring network usage levels and patterns in order to ensure the proper functioning of its information systems.
The Family Educational Rights and Privacy Act (FERPA).
Enacted in 1974, FERPA (also known as the Buckley Amendment) affords students (or parents if the student is a minor) certain rights with respect to the student’s “education records.” As defined under FERPA, the term “education records” encompasses a broad range of materials and information such as disciplinary, financial and academic records established during a given student’s enrollment and maintained in a variety of University databases and other filing arrangements. In particular, FERPA provides that “education records” and personally identifiable information contained therein may not be released or disclosed (including disclosure by word of mouth) without the written consent of the student (or parents, as the case may be). Violations of FERPA may result not only from the unauthorized disclosure of education records but also from the failure to exercise due care in protecting such records against unauthorized access from outsiders. However, even in the absence of express student (or parental) consent, FERPA permits disclosure of education records to University employees who have a legitimate interest in the student and to outside parties in a variety of circumstances, such as those where public health or safety are at issue.
Health Insurance Portability and Accountability Act (HIPAA)
Enacted in 1996, HIPAA sets national privacy standards for the protection of certain types of health information to the extent such information is electronically transmitted by health plans, health care clearinghouses, and health care providers. The University is subject to HIPAA as a provider of employee group health plans. Accordingly, with respect to such health plans, the University has
(a) adopted written privacy procedures describing who has access to protected health information, how such information will be used, and when it may be disclosed
(b) required business associates to protect the privacy of such health information
(c) trained employees in the applicable privacy policies and procedures
(d) designated a Privacy Officer to be responsible for ensuring that such policies and procedures are followed. HIPAA may also apply to certain research activities such as the collection and use of personally identifying health information from patient populations in clinical settings. Further information regarding compliance with HIPAA is available through the University’s Privacy Officer in Risk Management.
The Financial Services Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act (GLBA)
Enacted in 1999, the GLBA requires financial institutions to carefully protect customers’ financial information. Universities are “financial institutions” by virtue of their loan servicing and therefore must comply with GLBA provisions. The GLBA has two relevant components
(1) “safeguarding” rules
(2) privacy rules.
All personally identifiable financial information from students, parents, and employees must be safeguarded against foreseeable risks of disclosure, intrusion and systems failure. The University has designated information security program managers in the business units that handle financial information, identified risks to the security of financial information, and is developing security programs to protect against risks. As the privacy standards of GLBA must be followed for all non-student financial information, the University is developing a privacy policy to comply with GLBA and will make required privacy notifications to non-student customers whose financial information is obtained. More information is available on the Federal Trade Commission website:
http://www.ftc.gov/privacy/glbact/index.html
The Technology, Education, and Copyright Harmonization Act (TEACH Act)
Enacted in 2002, the TEACH Act relaxes certain copyright restrictions so that accredited, non-profit colleges and universities may use multimedia content for instructional purposes in technology mediated settings. However, the TEACH Act carries a number of security requirements designed to ensure that digitally transmitted content will be accessible only to students who are properly enrolled in a given course.
State Laws
In addition to the federal laws summarized above, there may be particular state laws that apply to the handling of confidential information. For example, state laws may govern the collection or use of information regarding children, consumers and other groups. Before establishing new practices with regard to the handling of confidential information, University employees are encouraged to consult the Office of General Counsel on campus.
Vendor Agreements
When negotiating contracts with third party vendors, SOP employees should consider whether such vendors require access to UNC databases or to other filing systems containing confidential information. Agreements providing third party vendors with access to such information must ensure that the vendor is subject to obligations of confidentiality that will enable the UNC to comply with its own obligations under the applicable privacy laws. In addition, such vendors should be contractually obligated to implement data protection and security measures that are commensurate with the UNC. By the same token, SOP employees must be careful not to disclose confidential information entrusted to their care by an outside party, especially when such information is governed by the terms of a confidentiality agreement or clause with that party.