Governance, Ethics and General

HIPAA Compliance

Section:	Governance, Ethics and General Policies
Policy Name:	HIPAA Compliance
Policy Owner:	Vice President and General Counsel
Responsible University Office:	Office of General Counsel
Origination Date:	November 19, 2019
Revisions:	February 2, 2022
Legacy Policy Number:	New

1. SCOPE OF POLICYThis policy addresses the University’s compliance with the federal Health Insurance Portability and Accountability Act (“HIPAA”) which sets standards applicable to the use and disclosure of Protected Health Information, as defined below, as well as notification obligations in the event of a breach.  This Policy applies to all University personnel but imposes additional obligations on (i) University HIPAA Components, and (ii) Third-Party Business Associates, as defined below.
2. DEFINITIONS
   1. 1. “Health Information” means any information whether oral or recorded in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
      2. “Individually Identifiable Health Information” means the subset of health information that identifies an individual, such as a patient, or that can be reasonably used to identify an individual.
      3. “Protected Health Information” or “PHI” means that subset of Individually Identifiable Health Information that is subject to HIPAA regardless of whether it is in oral, written or electronic form. Individually Identifiable Health Information may become PHI when, for example, a health care provider uses or discloses the information in order to provide care to a person or to receive payment for the services rendered.  PHI in electronic form is “Electronic Protected Health Information” or “ePHI.”  Unless expressly noted in this policy, PHI includes ePHI.
      4. “University HIPAA Components” means those parts of the University that either (i) are health care providers billing for services electronically, or (ii) other parts of the University that must use PHI to support the health care providers, including:
         1. UD Health – Physical Therapy Clinic
         2. UD Health – Nurse Managed Primary Care Clinic
         3. UD Health – Speech-Language-Hearing Clinic
         4. UD Health – Nutrition Clinic
         5. UD Police – Emergency Care Unit
         6. Student Health Services
         7. Information Technologies
         8. Internal Audit and Compliance Department
         9. Procurement Services Department
         10. Office of General Counsel
         11. University Archives and Records Management
      5. “Third-Party Business Associate Components” means a part of the University acting as a Business Associate for a third-party (e.g., the Delaware Department of Human Services). “Business Associates” are persons or entities that have been engaged by a third party subject to HIPAA to provide services and the services require the use or disclosure of the third party’s PHI.
3. POLICY STATEMENTUniversity HIPAA Components and Third-Party Business Associates Components must use, disclose, and safeguard PHI as specified in this Policy and notify the University HIPAA Privacy Officer in the event PHI has been or is reasonably believed to have been, accessed, acquired, used, or disclosed in a manner contrary to this Policy.  University HIPAA Components and Third-Party Business Associate Components may adopt additional procedures specific to their operations provided that those procedures do not conflict with this Policy.
   1. University HIPAA Obligations. When engaging in activities subject to HIPAA, the University will comply with HIPAA and use and disclose PHI only as permitted or required by:
      1. Identifying those components within the University that are University HIPAA Components or Third-Party Business Associate Components.
      2. Designating the University Chief Privacy Officer as the HIPAA Privacy Officer and the Associate Chief Information Security Officer as the HIPAA Security Officer to collectively oversee the University’s HIPAA compliance as specified in this Policy.
      3. Requiring all University personnel who discover an actual or suspected use or disclosure of PHI in violation of this Policy to report the incident to the HIPAA Privacy Officer. The University will not retaliate against an individual for making a report in good faith.
   2. Responsibilities
      1. The HIPAA Privacy Officer coordinates the University’s overall compliance with HIPAA by:
         1. Analyzing University activities involving the use or disclosure of Individually Identifiable Health Information to determine whether those activities are subject to HIPAA;
         2. Identifying, documenting, and periodically updating the designation of the University HIPAA Components and updating this Policy as appropriate;
         3. Preparing, distributing, and updating documents HIPAA requires including the Notice of Privacy Practices, Authorization to Disclose Protected Health Information, and Business Associate Agreements (collectively, “Approved HIPAA Documents”).
         4. Assisting University HIPAA Components and Third-Party Business Associates in meeting HIPAA requirements and obtaining assurances from them of material compliance with this Policy;
         5. Responding to complaints or inquiries from third parties regarding the University’s compliance with HIPAA or this Policy and also to requests to University HIPAA Components from patients to exercise the rights HIPAA conveys to them;
         6. Notifying patients and other persons or entities in the event of any accidental or unlawful use or disclosure of PHI;
         7. Collaborating with the HIPAA Security Officer regarding safeguarding ePHI; and
         8. Informing University leadership regarding compliance with this Policy.
      2. The HIPAA Security Officer coordinates and oversees the implementation of appropriate safeguards for ePHI including:
         1. Assisting University HIPAA Components and Third-Party Business Associate Components in conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI;
         2. Assisting University HIPAA Components and Third-Party Business Associate Components in implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
         3. Overseeing the implementation of the other administrative, physical, and technical safeguards HIPAA requires to safeguard ePHI.
      3. All University HIPAA Components and Third-Party Business Associates must implement policies and procedures to:
         1. Identify and document personnel (by title or function) who require access to PHI in order to perform their permitted job functions (the “Workforce”).[1]
         2. Train Workforce members about their HIPAA obligations within a reasonable time of hire or change in position, as applicable, and periodically thereafter, and document the receipt of such training.
         3. Safeguard PHI from (i) any intentional or unintentional use or disclosure that is not permitted by this Policy, and (ii) with the exception of uses or disclosures for treatment purposes, using or disclosing more than the minimum necessary amount of PHI for an incidental or permitted use or disclosure.
         4. Safeguard ePHI against any reasonably anticipated threats or hazards to the security, integrity, and confidentiality of the ePHI; and protecting against any reasonably anticipated uses or disclosures of ePHI that are otherwise not permitted by this Policy.
         5. Forward to the University HIPAA Privacy Officer for review and response all proposed modifications to the University-approved HIPAA forms, as applicable; any Business Associate Agreement proposed by a third party; any revocations of a previously-granted Authorization to Disclose Protected Health Information; any requests from patients to exercise rights HIPAA conveys to them; and any complaints or inquiries regarding the University’s compliance with HIPAA or this Policy.
         6. Execute Business Associate Agreements when engaging a third party to perform a task or service involving the use or disclosure of PHI.
         7. Record disclosures other than for treatment, payment, or health care operations or pursuant to a patient’s authorization for accounting purposes.
         8. Document all steps taken to comply with this policy and maintain the documentation for six years from the date of creation or the date when it was last in effect, whichever is later.
      4. University HIPAA Components directly treating patients must also:
         1. Designate a person to receive complaints about the Covered Component’s compliance with this Policy (the “Contact Person”). The Contact Person will forward complaints to the HIPAA Privacy Officer for review and response.
         2. Use the University’s Approved HIPAA Documents.
         3. Obtain an Authorization from patients for uses or disclosures of PHI for purposes other than treatment, payment, or health care operations.
         4. Make the University’s Notice of Privacy Practices (the “Notice”) available by (i) except in an emergency, providing it to new patients either in person or in the case of telehealth services electronically and, when possible, obtaining the patient’s acknowledgement of receipt; (ii) posting the Notice at the front desk; (iii) giving the Notice to anyone who requests it and keeping copies available at the front desk; (iv) posting the Notice on their webpages; and (v) posting an update on their webpages in the event of a material change to the Notice.
         5. Forward to the HIPAA Privacy Officer for response patient requests (i) to access or amend their PHI, restrict additional disclosures, or to receive confidential communications, or (ii) for an accounting of disclosures.POLICY STANDARDS AND PROCEDURES
   3. Compliance
      Violations of this Policy may result in disciplinary action.

[1] Students are included in the definition of “Workforce” if they are required to use or disclose PHI.