Security Rule Requirements
The Security Rule establishes the national security standards to protect individuals’ electronic PHI created, received, used or maintained by a Covered Entity (or Business Associate). The Security Rule mandates administrative, physical and technical safeguards to ensure the confidentiality, integrity, availability and security of electronic PHI (e-PHI). UNC-Chapel Hill is required to apply these standards to all health information pertaining to an individual that is electronically maintained or transmitted and must:
- Assign a security official who is responsible for the development and implementation of security policies and procedures for e-PHI.
- Assess security risks and determine the major threats to the security and privacy of PHI.
- Establish a program to address physical security, personnel security, technical security controls, security incident response and disaster recovery.
- Certify the effectiveness of security controls.
- Develop policies, procedures and guidelines for the use of personal computing devices (workstations, laptops, hand-held devices).
- Ensure mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual’s status, change of status or termination.
- Implement access controls that may include encryption, context-based access, role-based access or user-based access; audit control mechanisms, data authentication,and entity authentication.