Skip to main content
Sign In

University of Colorado Denver

Heath Insurance Portability and Accountability Act


Security Rules

When is the deadline for compliance with the Security Rule?

No later than April 21 , 2005.

What does the Security Rule require?

The Security Rule requires that We implement administrative, physical, and technical safeguards of ePHI.

What is ePHI and how does it differ from PHI?

"ePHI" is electronic protected health information. ePHI is PHI that is transmitted and/or maintained by/in electronic media. PHI is individually identifiable health information in any form. electronic, paper, oral, etc.

Do I need to take training to be in compliance with the Security Rule?

Yes. The Security Rule does require education of our campus but we have included Security Rule education in HIPAA 101. If you have completed HIPAA 101 then you have already completed your Security Rule education.

Does the Security Rule require that we protect paper PHI?

No. but the HIPAA Privacy Rule does require that we adequately safeguard PHI in all forms. including paper. Thc Security Rule's requirements only apply to ePHI.

Where can I find an actual listing of the Security Rule's requirements?

The Centers for Medicare and Medicaid Services (CMS) website has a copy of the final Security Rule published in the Federal Register: A helpful summery appears on page 8380 of the document.

How do I know if I have ePHI on my computer?

If you have saved health or medical information to your computer that contains any of the 18 identifying fields, you have ePHI on your computer. See the HIPAA Privacy Rule De-identification of Information, Policy 1.2, for a listing of the 18 fields that make information identifiable (

If I have ePHI on my computer, what security measures should I utilize?

See the Best Practice Guidelines. and click on the Desktop Computers option. for a listing of desktop security measures.

Can I allow non-employees to use my computer?

UCDHSC resources are to be used for work-related functions only (see appropriate use policy, But there are occasions when a non-employee may need to use our computers. Their access must be limited to non-work-related resources. such as internet access. Keep in mind that you are responsible for any misuse of University-owned resources, and will be subject to sanctions if this misuse is criminal in nature.

Can I download any software/applicalions on to my computer?

If you have administrative rights on your computer. You have the ability to download software/applications to your computer. Keep in mind that programs you install may cause your work-related applications to "misbehave." In addition, applications downloaded from the lnternet are noturious four containing malware (spyware, ad-ware, viruses). If your computer begins behaving in a less-than-optimal manner or becomes non-functional after installation of a program you installed, you are responsible for paying for any needed "repair" work.

Where is the best place to store ePHI? Can I stote it on my desktop computer?

The best place to store ePHI is on a secure server. These are computcrs that have a lot of storage space and are securely maintained by an IT professionals. If it is not possible to store ePHI on a secure server, it can be stored on your desktop computer,. but you will need to take additional security measures to secure the data. In addition to the normal anti-virus software and patching, the data will need to be routinely backed up,. password-protected screen savers must be used, auditing functions may need tu be enabled,. and care must be taken not to download any applications from the Internet which might contain spyware or cause loss of data confidentiality.

Call I store ePHI on my mobile computing device?

Mobile devices are easily lost or slolen. If you don't have to store ePHI on your laptop,. PDA, or removable storage devices (i.e. bus drive, flash drive, CD, etc) don't, If you must store ePHI on one of these devices. make sure the dcvice is password protected and the data is encrypted. Information Systems offers an encryption application. PGP, which also includes storage of a recovery key (if you lose your encryption key and don't have a recovery key. The data is not retrievable). Contact the IS Help Desk at 303-724-4357 for rnore information about this application.

What are the penalties for non-compliance with the Security Rule?

Potential penalties applicable to members of the University's workforce may be found in the Sanction policy at Generally, HIPAA noncompliance is punishable by both civil and criminal penalties, up to 10 years in prrison and fines up to $250,000.

Where do I find information about campus e-mail and its security?
How can I e-mail ePHI and keep it secure?

UCDHSC and our Affihatcs (UCHSC, UCH, UPI, DHHA, TCH and NJH)(The VA Hospital and all other healthcare organizations fall outside our protected affiliate network.) share a private network. Any e-mail sent between these sites is automatically secure. If e-mail containing ePHI needs to be sent outside this private network, it must be sent using our secure e-mail system, called Tumbleweed. Tumbleweed provides secure e-mail communication capabilities for e-mail initiated from UCDHSC (see

My computer screen is observable to others. What can I do to protect the data that appear on the screen when others are present?

If possible, move your computer to a more private location or reposition your monitor so that it is facing away from public viewing, (e.g. turn the back of the monitor toward the public at a reception desk). Consider adding an antireflective screen, which prevents viewing from any direction except straight ahead. Use a password-protected screen saver set to activate within a very short period of inactivity.

What should I do if I think the security of my ePHI has been jeopardized?

If you think your data has been accessed in an unauthorized manner (loss of integrity), contact the IS Help Desk at 303-724-4357 or the HIPAA Security Officer at 303-724-0495 to report the security breach and receive instructions On how to proceed.

What are patches, why do I need them, and how do I apply them to my computer?

Patches are computer code written by an application vendor to repair an operating system or application vulnerability. They are needed because once an attack using the vulnerability is "in the wild" your computer is at risk of being affected by the attack. On a Windows computer, the easiest method for keeping your patches up-to-date is to have your computer set up for automatic patch management by the IS Software Update Service (SUS). Call the IS Help Desk (303-724-4357) with the name of the computer you would like to add to the service. That's all it takes. If your computer is mobile(it isn't connected to the campus network regularly during the update time, generally around 9 a.m.), or your computer is not joined to the Stargate domain, you can either set up the automatic update function using the Windows Update icon, or from the menu bar of Internet Explorer, select tools, Windows Update, which takes you to the Windows update site. Newer Macs (OS X and above), can be set up to automatically receive updates. If you are running Red Hat Enterprise Linux, you'll be notified of updates. If you're running any other version of Linux, you'll need to monitor the Linux open source sites for updates.

Where is the computing best practices information for the campus?
What protections should I take with my ePHI research database?

That's a multi-part question, depending mostly on how the database is accessed. If You're the only person who uses the database, it should be stored on a secure server and backed up nightly. You can use any database application you are comfortable with. If multiple people use the database, only minimum necessary access should be granted to the user. Each user's access should be based on the job function of the user. So if some people's job duties require them to see only limited information, the database must be able to support that feature (at this time, Microsoft Access does NOT support this feature). A more full-featured database application will be needed, something like Microsoft SQL or Oracle. If the database is accessible from the Internet, it should be on a server Separate from the web server, must use SQL, Oracle, or other full·featured database application, must require users to log in, and grant access to only the minimum necessary information. Auditing of the data should be set up to ensure that there is no unauthorized access. In all cases, the database patches must be kept current. See and click the: link for databases for additional information.

What agency will enforce the Security Rule?

CMS, the Centers for Medicare and Medicaid Services, is charged with enforcement of the Security Rule.

What is spyware and what should I do if I think I have spyware on my computer?

Spyware is computer software that gathers information about your computer usage without your knowledge or informed consent and then transmits this information to an external entity. See for additional information.

Where can I find the campuses' security policies and procedures?

Both the HIPAA and IS websites contain security information, including HIPAA Security policies and best practices. See for HIPAA policies and http://www.uchsc edu./is/policies/ for IS policies.

How can I securely destroy ePHI?

If ePHI is on your desktop, laptop, or server, and it is no longer needed, delete the files. They will be moved to your Recycle Bin {Windows) or Trashcan {Mac). Then empty the Recycle Bin or Trashcan. To completely remove all data from a drive, use a disk wiping tool. Do not use these if you need to continue to use the computer, THEY REMOVE ALL DATA! If you no longer need the computer, see for computer disposal procedures. For ePHI on removable devices (e.g. flash, bus, zip drives, CD), destroy the device prior to disposing.

What is a flash drive and how can I protect data stored on a flash drive?

A jump drive- also known as a USB drive, flash drive, keychain drive, or disk-on-key - is a plug-and-play portable storage device that uses flash memory and is lightweight enough to attach to a key chain. A jump drive, which looks very much like an ordinary highlighter marker pen. can be used in place of a floppy disk, Zip drive disk, or CD. When the user plugs the device into his computer's USB port, the computer's operating system recognizes the device as a removable drive and assigns it a drive letter. The only way to secure data stored on one of these devices is to encrypt it. Contact the Help Desk at 724-4357 for further information, See,,sid5_gci869057,00.html for additional information.

Does the Security Rule cover social security numbers and their protection?

Social security numbers (SSN) are one of the 18 identifiers that make health or medical information into PHI. Protection of social security numbers when they occur in conjunction with health or medical information is covered in the HIPAA Privacy Rule. In addition, the University of Colorado System has begun an initiative to remove SSN from its systems whenever possible.

I think I may have violated the Security Rule! What should I do?

Contact the HIPAA office at or call the HIPAA Hotline at (303) 72H-IPAA (724-4722}.

My unit Was told we don't have to comply with the HIPAA Privacy Rule. Does the Security Rule apply to us?

If your unit is exempt from complying with the HIPAA Privacy Rule, it is also exempt from complying with the HIPAA Security Rule. On the other hand, the requirements of the Security Rule are, for the most part, just secure computing practices. Sec the Computing Best Practice Guidelines at These are the practices every UCDHSC unit should be following

How is this different than the Privacy Rule? I though we were already in compliance.

The HIPAA Privacy Rule covers all forms of protected health information (PHI), including paper, conversations in places where the discussion can be overheard, and orally giving information over the telephone. The HIPAA Security Rule covers only electronic protected health information (ePHI J - basically any PHI stored on/or used with electronic media (i.e. computers, printers, fax machines).

Does the Security Rule require that I store all PHI in electronic form?

No. However, the Security Rule does require administrative, physical, and technical safeguards of all PHI that is in electronic form.

© The Regents of the University of Colorado, a body corporate. All rights reserved.

Accredited by the Higher Learning Commission. All trademarks are registered property of the University. Used by permission only.