Skip to main content

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA)


The Health Insurance Portability & Accountability Act of 1996 requires the institution to secure a patient’s electronic protected health information (ePHI). This protection is provided by administrative, physical, and technical processes and controls. The OIT-Information Security Office is charged with assisting the university in achieving compliance with the HIPAA Security Rule.

Departments involved in the electronic transmission of patient records, as well as any subcontractors, are required to be compliant with HIPAA standards which call for prudent security practices.

The HIPAA Security Rule is intended to be scalable and does not require specific technologies to be used. Covered entities may elect solutions that are appropriate to their operations, as long as the selected solutions are supported by a thorough security assessment and risk analysis.

The standards for the Security Rule are grouped into five categories:

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Organizational standards
  • Policies, procedures, and documentation requirements.

Program component details:

  1. All departments that accept, process, store, and transmit electronic protected healthcare information (ePHI) must ensure that all applicable systems and databases used to process this data undergoes risk assessments as conducted by the Risk Management team.
  2. University Ethics and Compliance provides mandatory, annual HIPAA training for identified units and departments that process healthcare data (PHI). The Information Security Office provides supplemental, optional refresher training that can be requested by management for identified groups (see additional resources link below).
  3. University policies should be reviewed by all members of the University who access, use, transmit or otherwise process electronic protected healthcare information (ePHI).
  4. The Compliance team is available to consult with schools and business units to ensure adherence to all HIPAA Security Rule regulatory requirements.

Review additional resources below for policy and training requirements.

HIPAA support and additional resources

HIPAA training

Register for this required training upon management approval.

Policy requirements

Learn more about the policy's role at Rutgers.


Contact us with questions regarding the HIPAA Security Rule.