Skip to main content
  • SPONSOR(S):  Paul Rivers
  • DEPT OR DIVISION: ITS Security and Identity Management
  • PROJECT OWNER:  Mel Radcliffe
  • STATUS: In Progress
  • Project Theme: Improving Process and Operations

What is it? 

The HIPAA Security Risk Assessment is a federally mandated evaluation of the University’s implementation of the HIPAA security rule. We will first identify any necessary risk mitigation work, and if needed establish a plan to address it. 

Why are we doing it? 

Under the HIPAA Security Rule, we are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.  

In addition, there is an ethical and societal obligation to appropriately handle protected health information. 

How does this impact our UNC community? 

UNC Units subject to HIPAA may need to allocate time to participate in the security risk assessment.  

The units are as follows: School of Dentistry, School of Medicine, College of Arts & Sciences, Institutional Integrity and Risk Management, Student Affairs, Information Technology Services, Office of University Counsel, Internal Audit, Finance & Budget, Facility Services, University Communications, Development Office, Office of the Vice Chancellor of Research, Renaissance Computing Institute, Eshelman School of Pharmacy. 

An outside vendor/third party will be hired to conduct much of the assessment with the Information Security Office managing requirements, scheduling, logistics, and review of deliverables.  

When is this happening? 

The HIPAA Security Risk Assessment takes place every two years. The current assessment began in February 2024, and will end Summer 2024.

After evidence collection and interviews, a third party will write, revise, then issue a report to be read out to a variety of campus audiences. As a result, a tracking and remediation plan will be formed.