HIPAA Information
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 necessitated updating and standardizing our privacy and security practices to comply with the federal regulations. The HIPAA Privacy Rule came into effect in 2003 and the Security Rule came into effect in 2005. The Combined Rule came into effect in 2013 and implemented a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act to strengthen the privacy and security protections for health information established under HIPAA.
The Privacy Rule regulates the use and disclosure of certain information held by "Covered Entities" and establishes regulations for the use and disclosure of Protected Health Information (PHI). While the Privacy Rule pertains to all PHI including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). The general Security Rule is defined by three types of security safeguards required for compliance: administrative, physical, and technical.
The University of Tennessee Health Science Center campuses and clinics comprise the health care component (Covered Entity) of the University of Tennessee under HIPAA. To comply with the Act we have a Privacy Officer and a Security Officer to be responsible for our compliance efforts regarding the Privacy Rule and Security Rule, respectively.
Notice of Data Breach - Change Healthcare (CHC), one of our vendors, experienced a criminal cyberattack and will be notifying those individuals whose information may have been compromised. For further details, including a description of information which may have been involved based on CHC’s review to date, and information on complimentary credit monitoring and identity protection services available to all individuals, please visit CHC’s Substitute Notice website (https://www.changehealthcare.com/hipaa-substitute-notice) or contact their dedicated call center at 1.866.262.5342.