Missouri State University

HIPAA Security Rule Policy


Protected Health Information (PHI):  Any information that identifies an individual and relates to that individual’s physical or mental health, health care or treatment, and payment for health care or treatment.

Electronic Protected Health Information (ePHI):  PHI that is created, stored, transmitted, or received electronically.

Hybrid HIPAA Covered Entity:  An organization where only selected areas deal with PHI. 

Policy Statement

As a Hybrid HIPAA Covered Entity (CE), Missouri State University will protect electronic Protected Health Information (ePHI) by addressing Administrative Safeguards, Physical Safeguards, and Technical Safeguards.  The subcategories under each of the three main categories will be links to the specific policies and will point to existing security policy where applicable.  This policy is based on Appendix A to Subpart C of Part 164 – Security Standards: Matrix, 68 Fed. Reg. 8333, 8380 (Feb. 20, 2003)

Administrative Safeguards

Security Management Process: Information Security Risk Assessment and Management  policy, Sanctions for Misuse

Physical Safeguards

Facility Access Controls: Information Security Physical Security policy

Technical Safeguards
  • Access Control: User Access to Electronic Data, Data Security, Information Security Identity and Access Management policy
  • Audit Controls:  Information Security Network and Computing Infrastructure policy
  • Integrity
  • Person or Entity Authentication: User Access to Electronic Data, Information Security Identity and Access Management policy
  • Transmission Security: Information Management policy

Reason or Purpose for Policy

HIPAA regulations require that ePHI be protected from unauthorized access and/or destruction.  Compromise of ePHI can lead to heavy fines, litigation, and damage to the University’s reputation with increased oversight and enforcement as a result of the HITECH (Title XIII) Act of the ARRA of 2009.

Entities Affected by this Policy

All University Health Care Components (HCC) that deal with ePHI.

Line of Authority

  1. Responsible Administrator and Office:  Chief Information Officer (CIO)
  2. Contact Person in that Office:  Information Security Officer (ISO)