Skip to main content

Security Rule

Security Rule Requirements

The Security Rule establishes the national security standards to protect individuals’ electronic PHI created, received, used or maintained by a Covered Entity (or Business Associate). The Security Rule mandates administrative, physical and technical safeguards to ensure the confidentiality, integrity, availability and security of electronic PHI (e-PHI). UNC-Chapel Hill is required to apply these standards to all health information pertaining to an individual that is electronically maintained or transmitted and must:

  • Assign a security official who is responsible for the development and implementation of security policies and procedures for e-PHI.
  • Assess security risks and determine the major threats to the security and privacy of PHI.
  • Establish a program to address physical security, personnel security, technical security controls, security incident response and disaster recovery.
  • Certify the effectiveness of security controls.
  • Develop policies, procedures and guidelines for the use of personal computing devices (workstations, laptops, hand-held devices).
  • Ensure mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual’s status, change of status or termination.
  • Implement access controls that may include encryption, context-based access, role-based access or user-based access; audit control mechanisms, data authentication,and entity authentication.