The University Policy Manual

  • Home »
  • HIPAA Compliance

HIPAA Compliance

The University of North Carolina at Greensboro

  • (Approved by the Chancellor, June 7, 2005)
  • (Revisions approved by the Chancellor, February 2010, May 2010)


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates health care providers (Covered Entities) that electronically maintain or transmit protected health information (PHI) in connection with a covered transaction. HIPAA requires each covered entity (CE) to maintain reasonable and appropriate administrative, technical and physical safeguards for privacy and security. Entities or individuals who contract to perform services for a CE with access to protected health information (Business Associates) are also required to comply with the HIPAA privacy and security standards.

The University of North Carolina at Greensboro is subject to the HIPAA regulations because certain units of the University are covered entities and business associates (BA). UNCG is required to identify its units that meet the CE definition, ensure CE compliance with safeguard and implementation specifications, and enforcement of CE and BA compliance with the HIPAA regulations. Business associates of the UNCG CEs may be other UNCG units that perform work on behalf of the CE; and UNCG units may also serve as a business associate to a CE other than UNCG. UNCG has chosen a decentralized model, with University-wide coordination, to comply with the Act. The University designates HIPAA Security and Privacy Officers to provide campus-wide leadership for compliance.

This policy reflects the University’s commitment to comply with HIPAA.


This policy applies to all UNCG Covered Entities and Business Associates. The policy’s scope includes the four (4) areas of the HIPAA regulations: Standards for Electronic Transactions and Code Sets, National Provider and Employer Identifiers, Security Standards, and Privacy Standards.


The Covered Entity must:

  1. Appoint a HIPAA compliance officer or officers.
  2. Implement policies and procedures with respect to protected health information that comply with HIPAA regulations including, but not limited to, ensuring compliance with and enforcement of PHI security, use and disclosure with other University employees as well as external third parties.
  3. Maintain the policies and procedures it implements in written (paper or electronic) form.
  4. Maintain a written (paper or electronic) record of actions, activities or assessments required to be documented by the HIPAA regulations. Such records may include, but are not limited to:
    1. Committee minutes
    2. Committee/task force charters
    3. Executive memorandums
    4. Quality improvement evaluations
    5. Corrective action plans
  5. Retain such required documentation for six (6) years from the date of its creation or the date when it was last in effect, whichever is later, and in accordance with the UNCG Records Retention and Disposition Schedule.
  6. Make the required documentation available to all staff responsible for implementing the policies and procedures to which the documentation applies.
  7. Implement a training program that informs all of the organization’s staff, including management, of all policies and procedures that apply to them in their individual roles.
  8. Inform patients of the Covered Entity’s HIPAA policies and procedures and the patient’s rights and responsibilities, and receive and maintain written acknowledgement of receipt of such information.
  9. Promptly document and process any complaints of alleged HIPAA violations, mitigate any damages, investigate and address any violations.
  10. Perform regular, ongoing monitoring, assessment, and revision, as necessary, to ensure continued compliance and enforcement of HIPAA standards.
  11. Perform regular, ongoing monitoring, assessment and revision, as necessary, of HIPAA policies and procedures and documentation in response to environmental, operational, staff, technical, or legal changes including, but not limited to those aspects of the CE affecting the confidentiality, integrity or availability of its PHI.
  12. Provide periodic written reports to the UNCG HIPAA Privacy and Security officers as requested.


Responsibility for implementation of this policy resides with the HIPAA Compliance Officer(s) in each CE. The UNCG HIPAA Privacy and Security Officers have overall responsibility for compliance with the HIPAA regulations.


The Chancellor has approved this HIPAA Compliance Policy. This policy will be reviewed and updated periodically as appropriate.


Comments or questions? Email the Policy Administrator in Academic Affairs or Information Technology Services.