REG 01.25.09 – Privacy and Security of Protected Health Information

Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.

History: First Issued: April 14, 2003.  Last Revised: April 29, 2025.

Related Policies:
NCSU RUL01.25.02 – Student Health Service, Counseling Center and Sports Medicine Joint Rule Use and Disclosure of Protected Health Information

NCSU REG11.00.01 – Family Educational Rights and Privacy (FERPA)

Additional References:

Health Insurance Portability and Accountability Act of 1996
Health Insurance Portability and Accountability Act Regulations
Joint Guidance on the Application of HIPAA and FERPA to Student Health Records
Federal Policy for the Protection of Human Subjects (“Common Rule”) [FDA Regulations governing clinical trials for new drugs and medical devices] Food and Drug Administration (Clinical trials of new drugs and medical devices)
20 U.S.C. § 1232g – Family Educational And Privacy Rights Act
Title 34, Part 99 – Family Educational Rights and Privacy Regulations
45 CFR. Part 46 – Protection of Human Subjects
45 CFR 164.501 – Public Welfare
NC State Institutional Review Board Forms & Templates

 

Contact Info:
NCSU Security Officer (919-513-7482)
NCSU Privacy Officer (919-515-6122)


1.  Purpose

1.1. The purpose of this regulation is to define how the University meets its compliance obligations with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA), Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) and North Carolina laws. HIPAA’s implementing regulations contain three primary rules: the Privacy Rule, the Security Rule and the Breach Notification Rule.

1.2. This regulation clarifies the distinction between Family Educational Rights and Privacy (FERPA) and HIPAA, administrative requirements, breaches, Business Associates, individual rights, information security and privacy assessments, research, sanctions for violations of this or other University policies and procedures concerning protected health information (PHI), and training. Units at the University that handle or access PHI may implement additional policies, regulations, standard operating procedures and guidelines concerning PHI, provided they do not conflict with this regulation.

2.  Scope

2.1. The University has designated itself as a Hybrid Entity as defined by HIPAA.  By making this designation, only the parts of the University performing covered functions (each a “Covered Component”) are subject to HIPAA/HITECH. When determining which units, departments, clinics, programs and functions meet the definition of a Covered Component, the following criteria apply:

2.1.1. Meets the definition of a covered entity if it were a separate legal entity.

2.1.2. Performs HIPAA-covered functions (e.g., treatment).

2.1.3. Performs activities that would make it a business associate if it were a separate legal entity.

2.2. Therefore, this regulation applies to all University employees, students and other forms of affiliation with the following Covered Components:

2.2.1. Campus Health Services

2.2.2. Counseling Center

2.2.3. Diagnostic Teaching Clinic

2.2.4. Psychoeducation Clinic

2.3. Along with support units such as:

2.3.1. College of Veterinary Medicine (CVM)

2.3.2. Environmental Health and Safety (EH&S)

2.3.3. Insurance & Risk Management (IRM)

2.3.4. Internal Audit Division (IAD)

2.3.5. Institutional Research Board (IRB)

2.3.6. Office of General Counsel (OGC)

2.3.7. Office of Information Technology (OIT)

2.3.8. Security & Compliance (S&C)

2.4. Note: Other university employees and students could be held responsible for compliance with HIPAA/HITECH if they come into contact with PHI, even if they are not in one of our listed Covered Components.

3.  FERPA vs HIPAA Clarifications

3.1. FERPA applies to most postsecondary institutions, and the health information records created or maintained by the University related to students are either education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Rules.

3.2. Because the institution is a Hybrid Entity and provides health care to nonstudents, the individually identifiable health information of the nonstudent patients that meets the definition of PHI is subject to the HIPAA Rules.

4.  Administrative Requirements

4.1. To comply with the requirements of both the Privacy and Security Rules appropriately, the University must:

4.1.1. Develop and maintain policies and procedures designed to comply with the Privacy and Security Rules;

4.1.2. Designate a HIPAA Privacy Officer and HIPAA Security Officer to develop and implement such policies and procedures;

4.1.3. Establish and maintain appropriate administrative, technical and physical safeguards to protect the privacy and security of PHI;

4.1.4. Maintain documentation of its status under HIPAA as a “Hybrid Entity”; and

4.1.5. Maintain all documentation required by the Privacy Rule and other laws or record retention obligations.

5.  Breach Rule

5.1. University personnel must report events that may result in the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI.  RUL 08.00.17 – Cybersecurity Incident Response Procedure is the process for event reporting, investigative analysis, containment, eradication and recovery, and post-incident activities that could include notification of the breach to affected individuals, the Secretary of the U.S. Department of Health and Human Services, and, in certain circumstances, to the media.

6.  Business Associates

6.1. Covered components must enter into a Business Associate Agreement (BAA) with any third party that: (i) provides data transmission services to the University with respect to PHI and requires access on a routine basis to such PHI; or (ii) will create, receive, maintain or transmit PHI on behalf of the University. All BAAs must be reviewed and approved by both the HIPAA Privacy and Security Officers and should undergo an assessment to validate the compliance of the Business Associate with HIPAA/HITECH requirements.

7.  Individual Rights

7.1. Patients of the Covered Components at the University:

7.1.1. Must receive a Notice of Privacy Practices in a form and manner approved by NC State’s HIPAA Privacy Officer and in a format that is accessible by the patient;

7.1.2. Must be permitted access to their records upon request;

7.1.3. Must be permitted to request amendments to their records, which requests must be reviewed on a timely basis and amendments made as appropriate; and

7.1.4. Must be permitted to request restrictions on the use or disclosure of their records, and all reasonable requests must be accommodated.

8.  Information Security and Privacy Assessments

8.1. Both the HIPAA Privacy and Security Officers, or their delegates, will conduct periodic assessments to ensure compliance with HIPAA/HITECH.  Each covered component is responsible for allocating time for key covered component stakeholders to be part of the assessment and to provide any requested policies, procedures or other requested evidence of compliance.

9.  Research

9.1. Researchers desiring access to PHI maintained by University covered components must obtain patient authorization or a waiver of authorization from the Institutional Review Board (IRB) to obtain and use PHI for research purposes.  The HIPAA Privacy Rule supplements and does not supersede the Common Rule applicable to federally sponsored research or the Food and Drug Administration regulations governing clinical trials of new drugs and medical devices, both of which protect the confidentiality of human subjects in research.

9.2. Please review the NC State IRB Standard Operating Practice re: HIPAA for more information on using PHI for research purposes.

10.  Training and Awareness

10.1. Workforce members of Covered Components will be required to take periodic HIPAA training. Relevant Workforce members of support units may also be required to take periodic HIPAA training if their work involves supervising or supporting the access, use, or disclosure of PHI. This training will be provided in an electronic format leveraging the university’s existing non-credit training systems.  The HIPAA Privacy and Security Officers are responsible for the development of training materials, delivery of training materials, and communications about the timing and frequency of training. Individual units may require their employees, students and/or volunteers to take additional training, and/or require that the training be taken more frequently than is communicated by the HIPAA Privacy and Security Officers.

11. Sanctions

11.1. Any workforce member who violates this policy, any other University policies or procedures concerning PHI, or any federal or state law related to PHI, may be sanctioned. Sanctions could include:

11.1.1. Additional training;

11.1.2. Curtailing or otherwise altering job responsibilities;

11.1.3. Other disciplinary action resulting in appropriate action depending on their affiliation with the university and the degree of impact on the university; or

11.1.4. Referral for criminal prosecution for law violations.

11.2. The Sanctions process is managed by the HIPAA Privacy Officer in coordination with the HIPAA Security Officer, University Compliance and Ethics Officer and the Office of General Counsel.

12. Glossary

12.1. Acronyms

Acronym Definition
 BAA Business Associate Agreement
FERPA Family Educational Rights and Privacy
HIPAA Health Insurance Portability and Accountability Act of 1996
HITECH Health Information Technology for Economic and Clinical Health Act of 2009 and regulations promulgated thereunder
IRB  Institutional Review Board
PHI Protected Health Information

12.2. Term Definitions

12.2.1. Breach: A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

12.2.1.1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

12.2.1.2. The unauthorized person who used the protected health information or to whom the disclosure was made;

12.2.1.3. Whether the protected health information was actually acquired or viewed; and

12.2.1.4. The extent to which the risk to the protected health information has been mitigated.

12.2.2. Breach Notification Rule: The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act. The Breach Notification Rule is located at 45 CFR 164.400-414.

12.2.3. Business Associate: a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.

12.2.4. HIPAA Privacy Rule: The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.

12.2.5. HIPAA Security Rule: The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

12.2.6. Protected Health Information: Protected Health Information or PHI is individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in education records covered by FERPA, in treatment records covered by FERPA, in employment records held by a covered entity in its role as employer, and regarding a person who has been deceased for more than 50 years.

12.2.7. Workforce: Employees, volunteers, trainees and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.