Frequently Asked Questions

  • Can PHI be disclosed to law enforcement, family members, or others, if you believe the individual is a serious threat to self or others?

    Yes, the HIPAA Privacy Rule permits disclosure of PHI, including psychotherapy notes, when the covered entity has a good faith belief that the disclosure:

    • is necessary to prevent or lessen a serious and imminent threat to the health or safety of the individual or others
    • is to a person reasonably able to prevent or lessen the threat

    The disclosure must be consistent with applicable law and standards of ethical conduct.

  • What do the HIPAA Privacy and Security Rules say about disposing PHI?

    The HIPAA Rules requires entities to apply appropriate administrative, technical, and physical safeguards to protect PHI, in any form. This means UNC must implement safeguards to limit incidental and avoid prohibited, uses and disclosures. Further, it requires that workforce members receive training on, and follow, the disposal policies and procedures.

    Proper disposal methods may include, but are not limited to:

    • For PHI in paper form, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed
    • For Electronic media, clearing, purging, or destroying the media (disintegration, pulverization, melting, incinerating, or shredding)
  • What is "Encryption"?

    Encryption is a method of converting an original message of regular text into encoded text. The text is encrypted by means of an algorithm (type of formula). If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to translate the text. Go to Email Security to learn how to encrypt PHI.

    How to encrypt an email using Azure RMS

  • Can I send e-PHI in an email?

    The Security Rule does not expressly prohibit the use of email. However, the standards for access control, integrity, and transmission security, require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access. The Rule allows for e-PHI to be sent through email as long as it is adequately protected. To learn more, go to "How do I Email Sensitive Information"

  • What is meant by "safeguards"?

     Physical safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. These include facility access controls, workstation use, workstation security, and device and media controls.

  • Does an employee have a right to restrict PHI for worker's compensation purposes?

     Individuals do not have a right to request restriction when the disclosure is required by law or authorized by, and necessary to comply with  workers' compensation or similar law.

  • What is the difference between HIPAA and FERPA?

     While HIPAA protects the privacy and security of health related information, the Federal Educational Rights and Privacy Act or FERPA, protects educational records of current and former students.  For more information see Ferpa Overview.

  • How do you determine what is the "minimum necessary"?

     The HIPAA Privacy Rule requires covered entities to make their own assessment of what protected health information is reasonably necessary for a particular purpose. Entities should evaluate  and enhance protections as needed to limit unnecessary or inappropriate access to PHI. The Rule is intended to reflect and be consistent with, not override, professional judgment and standards. Covered entities should utilize the input of prudent professionals involved in appropriately limiting access to this information.