Activity Monitoring

Protected Health Information (PHI) Monitoring

Central Michigan University (CMU) conducts monitoring of access to protected health information (PHI) to ensure that records are accessed appropriately and in accordance with University policy and federal regulations.

The Office of HIPAA Compliance, in coordination with designated supervisors, reviews flagged access identified through monitoring systems to determine whether access is appropriate. Inappropriate access may result in corrective action in accordance with CMU policy and may be subject to enforcement by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).

HIPAA regulates the use and disclosure of PHI to activities that are related to treatment, payment for treatment and operations. Generally, an individual's job duties reflect the requirement for access to PHI. However, PHI should not be accessed unless it is needed to perform their job-related duties. This applies to VIP patients, family members’ and friends’ PHI. If you do not need the information to do your job, do not access the PHI. By accessing PHI without a need required in the performance of you job duties, you are violating HIPAA and CMU policy.

Enforcement of the HIPAA Privacy and Security Rules by HHS OCR includes fines and penalties for individuals and institutions that fail to follow regulations. CMU's access monitoring intends to ensure the privacy and security of PHI for all of our students, staff, faculty, and community. 

If you have any questions, feel free to contact the Office of HIPAA Compliance at HIPAA@cmich.edu or 989-774-2829.