SNAP was decommissioned at the end of May.

You will be redirected to the new site in 5 seconds. Please update your bookmarks to point to

SNAP : HOW TO: Determine if HIPAA Security applies to you. Steps to become compliant.
Skip to Toolbar
Skip to Tabs
Skip to Search
Skip to Content
HOW TO: Determine if HIPAA Security applies to you. Steps to become compliant.

Summary: If you create, maintain, receive, or store any individual's electronic personal health information (ePHI) or are a health care provider, then this applies to you. This rule defines administrative, technical, and physical safeguards to protect patient health information from unauthorized access.

What you should do How you should do it
1Determine if the Health Insurance Portability and Accountability Act Security Rule applies to you
  1. The Security Rule protects Electronic Patient Health Information (ePHI) including, but not limited to:
    • personally identifying information such as name, social security number, driver's license number, financial account number or credit card number.
    • health care or health care payment information, reports, test results
    • demographic information including address, date of birth, date of death, sex, e-mail, web address
    • medical record number, insurance number
    • dates of service, e.g., date of appointment, admission and discharge

  2. If you create, store, manage, receive, or transmit any ePHI information as defined above, you are a "Covered Entity". You will need to become Security Rule compliant by implementing specific computer security safeguards.

  3. The steps in the remainder of this document will guide you to becoming Security Rule compliant.

Note: If you have determined that this does not apply to you, you do not need to read further.

2If this applies to you, understand what Security Rule compliance means
  1. Review:
  2. Your computing security practices need to be consistent with
3Assess and analyze your risk
  1. Analyze your security practices against the guidelines to identify any deficiencies. Determine what additional measures, if any, are needed using the Security Self-assessment Checklist.

  2. The self-assessment needs to be repeated annually or as any major changes within a unit occur that might affect ePHI security.
4Develop policies and procedures
  1. Develop policies and procedures to address risk. Select and implement cost-effective controls, countermeasures and safeguards.

  2. File and database encryption are key technologies for securing data.
    Refer to the UC Encryption Guidelines for details. UC has also negotiated a contract with vendors for encryption software. Please refer to UC Encryption Tools purchasing agreements
5Train or retrain staff.
  1. New employees must be trained within 90 days of hire.

  2. Employees need to be retrained annually or as job descriptions change.

  3. Please take the "HIPAA Information Security" course using the UCI Training and Employee Development System (TED).

  4. Check with your supervisor for other HIPAA Security training courses that may be required by your unit.
6Manage the computing environment.
  1. Monitor and audit system and logs.

  2. Monitor and resolve new risks.
7Respond to incidents.
  1. Report security incidents & breaches to the confidential message line: 1-888-456-7006

  2. Additionally, please follow the procedures defined under "Compromised Computer with Sensitive Data" available at Keeping Your Data Safe
8Do you have any Partner Agreements?
  1. Chain of Trust Partner Agreements need to be developed with your legal counsel.

  2. Contract language should require the partner to maintain the confidentiality and integrity of the protected data.

For more information, please contact:

Notice: University policies, procedures and applicable collective bargaining agreements shall supersede information in this document or elsewhere on this site.

Author: N/A Last published: N/A