Protected Health Information (PHI) Monitoring
Central Michigan University conducts monitoring of access to protected health information (PHI) to ensure records are accessed in accordance with University policy and federal regulations. The Office of HIPAA Compliance and designated supervisors review flagged access by our monitoring program to determine whether the access is appropriate or inappropriate. Inappropriate access is subject to sanctions in accordance with University policies as well as enforcement penalties from the Department of Health and Human Services (HHS), Office for Civil Rights (OCR).
HIPAA regulates the use and disclosure of PHI to activities that are related to treatment, payment for treatment and operations. Generally, an individual's job duties reflect the requirement for access to PHI. However, PHI should not be accessed unless it is needed to perform their job-related duties. This applies to VIP patients, family members’ and friends’ PHI. If you do not need the information to do your job, do not access the PHI. By accessing PHI without a need required in the performance of you job duties, you are violating HIPAA and CMU policy.
Enforcement of the HIPAA Privacy and Security Rules by HHS OCR includes fines and penalties for individuals and institutions that fail to follow regulations. CMU's access monitoring intends to ensure the privacy and security of PHI for all of our students, staff, faculty, and community.
If you have any questions, feel free to contact the Office of HIPAA Compliance at hipaa@cmich.edu or 989-774-2829.
Why is activity monitoring conducted?
Monitoring access and activity allows for the detection of suspicious activity and supports investigations if a violation occurs. Additionally, once activity is analyzed it allows for feedback to improve workflows and meaningful use.
What is monitored?
Actions within the electronic medical record systems are monitored for appropriate access, privacy and security. Some examples include: Login/logout, Break The Glass (BTG) events, viewing, editing, printing etc.
Who is monitored?
Any individual assigned access to an electronic medical record or electronic health record system. This includes students, staff and faculty.