Protected Health Information (PHI) Monitoring

Central Michigan University conducts monitoring of access to protected health information (PHI) to ensure records are accessed in accordance with University policy and federal regulations. The Office of HIPAA Compliance and designated supervisors review flagged access by our monitoring program to determine whether the access is appropriate or inappropriate. Inappropriate access is subject to sanctions in accordance with University policies as well as enforcement penalties from the Department of Health and Human Services (HHS), Office for Civil Rights (OCR).

HIPAA regulates the use and disclosure of PHI to activities that are related to treatment, payment for treatment and operations. Generally, an individual's job duties reflect the requirement for access to PHI. However, PHI should not be accessed unless it is needed to perform their job-related duties. This applies to VIP patients, family members’ and friends’ PHI. If you do not need the information to do your job, do not access the PHI. By accessing PHI without a need required in the performance of you job duties, you are violating HIPAA and CMU policy.

Enforcement of the HIPAA Privacy and Security Rules by HHS OCR includes fines and penalties for individuals and institutions that fail to follow regulations. CMU's access monitoring intends to ensure the privacy and security of PHI for all of our students, staff, faculty, and community. 

If you have any questions, feel free to contact the Office of HIPAA Compliance at hipaa@cmich.edu or 989-774-2829.