Protected Health Information (PHI): Any information that identifies an individual and relates to that individual’s physical or mental health, health care or treatment, and payment for health care or treatment.
Electronic Protected Health Information (ePHI): PHI that is created, stored, transmitted, or received electronically.
Hybrid HIPAA Covered Entity: An organization where only selected areas deal with PHI.
As a Hybrid HIPAA Covered Entity (CE), Missouri State University will protect electronic Protected Health Information (ePHI) by addressing Administrative Safeguards, Physical Safeguards, and Technical Safeguards. The subcategories under each of the three main categories will be links to the specific policies and will point to existing security policy where applicable. This policy is based on Appendix A to Subpart C of Part 164 – Security Standards: Matrix, 68 Fed. Reg. 8333, 8380 (Feb. 20, 2003)
Security Management Process: Information Security Risk Assessment and Management policy, Sanctions for Misuse
Facility Access Controls: Information Security Physical Security policy
HIPAA regulations require that ePHI be protected from unauthorized access and/or destruction. Compromise of ePHI can lead to heavy fines, litigation, and damage to the University’s reputation with increased oversight and enforcement as a result of the HITECH (Title XIII) Act of the ARRA of 2009.
All University Health Care Components (HCC) that deal with ePHI.