Information Security Risk Acceptance
HIPAA Security Compliance Exception and Risk Acceptance for: _____________________________
I understand that compliance with East Carolina University HIPAA Security policies and standards and Federal
HIPAA Privacy and Security requirements is expected for all organizational units (e.g. schools and departments),
business processes and the related information and communication systems. I have read the attached HIPAA
Security Compliance Report for the ____________________ and I believe that the control(s) described therein
should not be required for the following organizational unit, business process, or information system,
_____________________________________________________________________________________________
_____________________________________________________________________________________________
I understand that a control deficiency in one business process or system could possibly jeopardize other processes or
systems, possibly lead to a compromise in privacy, and/or possibly result in a data security breach.
I understand that an exception to University policies and standards and / or state or Federal statues is appropriate
only when compliance would:
 adversely affect the accomplishment of East Carolina University business
 cause a major adverse financial impact that would not be offset by the reduced risk occasioned by
compliance
 adversely reflect upon the University’s reputation
An exception to this policy or standard is warranted because:
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
A written security compliance review has been prepared of possible risks associated with being out of
compliance with the above mentioned policy, standard or statue. A review can never identify all risks, but
the known risks associated with this application, system, or hardware is listed in the attached report.
I, as department head for _____________________________, acknowledge the risks associated with this exception
to information security policies and/or standards on behalf of the institution. I have reviewed the security concerns
associated with this installation, but have determined this exception is necessary for the stated business purposes
listed above. I understand that the risks include penalties described in HITECH Act of the American Recovery
Reinvestment Act and/or other state and federal compliance requirements. I understand it is my responsibility to
communicate the risks and acceptance of risks to the appropriate University senior management and to review the
risks associated with this system at minimum annually, or as changes to the system or organization warrant.
I approve the installation of the system for which this compliance exception refers.
_______________________________________
Printed name of University Approver
_______________________________________
University Approver Signature
Date
_______________________________________
Data Owner Signature
Date
Information Risk Acceptance #
1
Keep copy for your record and return completed and signed form to IT Security; Mailstop 229, ITCS Cotanche Bldg
CC: Mr. Tim Wiseman, University Enterprise Risk Management Office