HIPAA Privacy and Security Officials Policy

Summary

To designate the privacy and security officials for the University of North Carolina at Chapel Hill (the “UNC-Chapel Hill”) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and all regulations promulgated thereunder (hereinafter collectively referred to as “HIPAA”).

Body

University Policy

Title

University of North Carolina at Chapel Hill Policy on HIPAA Privacy and Security Officials

Introduction

Purpose

To designate the privacy and security officials for the University of North Carolina at Chapel Hill (the “UNC-Chapel Hill”) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and all regulations promulgated thereunder (hereinafter collectively referred to as “HIPAA”).

Scope

UNC-Chapel Hill faculty, staff, students, fellows, volunteers, trainees, agents, contractors, and/or other affiliates, whether paid or unpaid, who work, train, or support UNC-Chapel Hill’s HIPAA Covered Components.

Policy

Policy Statement

A. Designation of HIPAA Privacy Official

Under the HIPAA Privacy Rule, UNC-Chapel Hill must designate a privacy official who is responsible for overseeing the development and implementation of the policies, procedures, and standards for the University required by the HIPAA Privacy Rule. Pursuant to 45 CFR 164 Subpart E, the University has designated its Chief Privacy Officer to serve as the privacy official and to provide centralized responsibility for oversight and implementation of the University’s HIPAA privacy program.

B. Roles and Responsibilities of HIPAA Privacy Official

  1. The Privacy Official is primarily responsible for overseeing all ongoing activities related to UNC-Chapel Hill’s implementation of the HIPAA Privacy and Breach Notification Rules.
  1. Under the oversight of the Privacy Official, the University’s Institutional Privacy Office is responsible for carrying out the University’s HIPAA privacy program, which includes:
    1. Developing and implementing the policies, procedures, and standards for the University required by the HIPAA Privacy and Breach Notification Rules;
    2. Training all Workforce Members on UNC-Chapel Hill’s policies and procedures involving the HIPAA Privacy and Breach Notification Rules;
    3. Periodically assess which units, departments, clinics, programs and functions at UNC-Chapel Hill must be included as UNC-Chapel Hill HIPAA Covered Components in UNC-Chapel Hill’s HIPAA Hybrid Entity Designation;
    4. Providing guidance and oversight on activities related to compliance with the HIPAA Privacy and Breach Notification Rule; and
    5. Conducting privacy-related investigations for potential incidents involving the HIPAA Privacy Rule which includes recommending sanctions to University Workforce Members consistent with the University’s Standard on HIPAA Sanctions and ensuring compliance with any individual or regulatory reporting obligations required by the HIPAA Breach Notification Rule. 

C. Designation of HIPAA Security Official

Under the HIPAA Security Rule, UNC-Chapel Hill must designate a security official who is responsible for overseeing the development and implementation of the policies, procedures, and standards required by the HIPAA Security Rule. Pursuant to 45 CFR 164 Subpart C, the University has designated its Chief Information Security Officer to serve as the security official and to provide centralized responsibility for oversight and implementation of the University’s HIPAA security program.

D. Roles and Responsibilities of HIPAA Security Official

  1. The Security Official is primarily responsible for overseeing all ongoing activities related to UNC-Chapel Hill’s implementation of the HIPAA Security and Breach Notification Rules.
  2. Under the oversight of the Security Official, the University’s Information Security Office is responsible for carrying out the University’s HIPAA security program which includes:
    1. Developing and implementing the policies, procedures, and standards for the University required by the HIPAA Security and Breach Notification Rules;
    2. Training all Workforce Members on UNC-Chapel Hill’s policies and procedures involving the HIPAA Security and Breach Notification Rules;
    3. Conducting periodic HIPAA security risk assessments and enterprise risk analyses to examine the security measures of the Covered Components to protect electronic PHI.
    4. Providing guidance and oversight related to compliance with the HIPAA Security and Breach Notification Rules;
    5. Conducting security-related investigations and forensic capture activities for potential incidents involving the HIPAA Security and Breach Notification Rules which includes recommending sanctions for non-compliance with UNC-Chapel Hill’s policies and procedures related to the HIPAA Security and Breach Notification Rules;
    6. Ensuring UNC-Chapel Hill HIPAA Covered Components implement appropriate administrative, physical, and technical safeguards to secure electronic PHI; and
    7. Continuously improving the University’s HIPAA security program and providing program updates to senior leadership and the Board of Trustees.

Definitions 

  1. Covered Components. All units, departments, divisions, clinics, and programs that have been designated under UNC-Chapel Hill’s HIPAA Hybrid Entity Designation to which the HIPAA Rules apply.
  2. HIPAA Breach Notification Rule. 45 CFR 164 Subpart D which requires that HIPAA covered entities and their business associates provide notification following a breach of unsecured PHI.
  3. HIPAA Hybrid Entity. A single legal entity that is a Covered Entity, whose business activities include both covered and non-covered functions, and designates components covered by the HIPAA Rules. UNC-Chapel Hill has designated itself as a HIPAA Hybrid Entity.
  4. HIPAA Privacy Official. The University’s Chief Privacy Officer who, pursuant to 45 CFR 164 Subpart E, is responsible for overseeing the development and implementation of the policies, procedures, and standards for the University required by the HIPAA Privacy Rule.
  5. HIPAA Privacy Rule. 45 CFR Part 160 and Subparts A and E of Part 164 that establishes the national standards to protect individuals’ medical records and other PHI, as defined by HIPAA. The Privacy Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization.
  6. HIPAA Security Official. The University’s Chief Information Security Officer who, pursuant to 45 CFR 164 Subpart C, is responsible for overseeing the development and implementation of the policies, procedures, and standards required by the HIPAA Security Rule.
  7. HIPAA Security Rule. 45 CFR Part 160 and Subparts A and C of Part 164 that establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.
  8. Protected Health Information (PHI). PHI is defined as:
    1. Information (in any format whether electronic, paper or oral) that:
      1. is created or received by a health care provider, health plan, or health care clearinghouse; and
        1. relates to the past, present, or future physical or mental health or condition of any individual; or
        2. the provision of health care to an individual; or
        3. the past, present, or future payment for the provision of health care to an individual.
    2. AND there is a reasonable basis to believe the information can be used to identify the individual; OR
    3. The information includes one or more of the following eighteen (18) identifiers (of the individual or his or her relatives, household members or even of the individual's employer):
      1. Name
      2. Geographic subdivisions smaller than a state (i.e., county, town or city, street address, and zip code and equivalent geocode) (note: in some cases, the initial three digits of a zip code may be used)
      3. All elements of dates (except year) for dates directly related to an individual (including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89) (note: ages and elements may be aggregated into a single category of age 90 or older)
      4. Phone numbers
      5. Fax numbers
      6. Email addresses
      7. Social security number
      8. Medical record number
      9. Health plan beneficiary number
      10. Account numbers
      11. Certificate/license numbers
      12. Vehicle identifiers and serial numbers, including license plate numbers
      13. Device identifiers and serial numbers
      14. Web Uniform Resource Locators (“URLs”)
      15. Internet protocol (“IP”) address numbers
      16. Biometric identifiers (e.g., fingerprints, retinal and voice prints)
      17. Full face photographic and any comparable images
      18. Any other unique identifying number, characteristic, or code
  9. Workforce Member. UNC-Chapel Hill faculty, staff, students, fellows, volunteers, trainees, agents, contractors, and/or other affiliates, whether paid or unpaid, who work, train, or support UNC-Chapel Hill’s HIPAA Covered Components.

Related Requirements

External Regulations 

University Policies, Standards, and Procedures 

Contact Information

Primary Contact

Name: Katherine Georger

Title: Associate Vice Chancellor, Chief Privacy Officer, Chief Digital Risk Officer, and Special Counsel

Unit: Institutional Privacy Office

Email: privacy@unc.edu

Other Contacts 

Name: Paul Rivers

Title: Assistant Vice Chancellor and Chief Information Security Officer

Unit: Information Security Office

Emailsecurity@unc.edu

Details

Details

Article ID: 159510
Created
Wed 12/3/25 12:08 PM
Modified
Fri 12/19/25 9:27 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Institutional Privacy Office
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Katherine Georger
Policy Contact
Person who handles document management. Best person to contact for information about this policy. In many cases this is not the Issuing Officer. It may be the Policy Liaison, or another staff member.
Katherine Georger
Next Review
Date on which the next document review is due.
12/15/2028 12:00 AM
Last Review
Date on which the most recent document review was completed.
12/11/2025 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
12/11/2025 12:00 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/11/2025 12:00 AM
Origination
Date on which the original version of this document was first made official.
12/11/2025 12:00 AM
Flesch-Kincaid Reading Level
23.3