Governance, Ethics and General

HIPAA Compliance

Section: Governance, Ethics and General Policies
Policy Name: HIPAA Compliance
Policy Owner: Vice President and General Counsel
Responsible University Office: Office of General Counsel
Origination Date: November 19, 2019
Revisions:
Legacy Policy Number: New
  1. SCOPE OF POLICYThis policy addresses the University’s compliance obligations under the federal Health Insurance Portability and Accountability Act (“HIPAA”) to safeguard the privacy and security of Protected Health Information, as defined below, regardless of whether the information is in oral, written, or electric form, and the University’s obligation to notify individuals in the event their Protected Health Information is, or is reasonably believed to have been, accessed, acquired, used or disclosed in a manner contrary to this policy.  This policy applies to all University personnel but imposes additional obligations on those of its units, departments, colleges, schools or other parts of the University that conduct activities involving the use of Protected Health Information (collectively the University’s “Covered Components”).
  2. DEFINITIONS
      1. Business Associate” means a person or entity who creates, receives, maintains or transmits Protected Health Information on behalf of a Covered Component.[1]
      2. Health Information” means any information whether oral or recorded in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
      3. Individually Identifiable Health Information” means the subset of health information that identifies an individual, such as a patient, or can be reasonably used to identify an individual.
      4. Protected Health Information” or “PHI” means that subset of Individually Identifiable Health Information that is subject to HIPAA.  Individually Identifiable Health Information may become PHI when, for example, a health care provider uses or discloses the information in order to provide care to a person or to receive payment for the services rendered.  PHI excludes information subject to the Family Educational Rights and Privacy Act (“FERPA”) and Health Information the University maintains in employment files for employment purposes.  PHI in electronic form is “Electronic Protected Health Information” or “ePHI.”  Unless expressly noted in this policy, PHI includes ePHI.
  3. POLICY STATEMENTThe University designates the University HIPAA Privacy Officer as responsible for overseeing the University’s overall compliance with HIPAA’s requirements regardless of the form of PHI (i.e., oral, written, or electronic).[2] The University designates the University Security Officer as responsible for addressing HIPAA’s administrative, technical, and physical safeguards applicable to PHI in electronic form. [3]  Covered Components must use, disclose, and safeguard PHI as specified in this policy and notify the University HIPAA Privacy Officer in the event PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed in a manner contrary to this policy.  Covered Components may adopt additional procedures specific to their operations provided that those procedures do not conflict with this policy.  In addition, all University personnel who (i) are not a part of a Covered Component or who will be acting outside the scope of their Covered Component activities, and (ii) use or intend to use Individually Identifiable Health Information (regardless of the source of the information) must register with the University HIPAA Privacy Officer for a determination of HIPAA obligations, if applicable.  The University will discipline personnel who violate this policy.
  4. POLICY STANDARDS AND PROCEDURES
    1. Requirements Applicable to All University Personnel
      1. University personnel will complete periodic awareness training regarding their obligations to identify activities involving Individually Identifiable Health Information.
      2. University personnel who (i) are not a part of a Covered Component or who will be acting outside the scope of their Covered Component activities, and (ii) use or intend to use Individually Identifiable Health Information, either on their own behalf or on behalf of a third party, must contact and register with the University HIPAA Privacy Officer. The University HIPAA Privacy Officer will determine whether the intended use implicates HIPAA and if so will provide further guidance on the accompanying HIPAA obligations.
      3. University personnel who become aware of a potential inaccuracy in the list of Covered Components must notify the University HIPAA Privacy Officer.
      4. University personnel who discover an actual or suspected use or disclosure of PHI in violation of this policy must report the incident to the University HIPAA Privacy Officer. The University will not retaliate against an individual for making a report in good faith.
    2. Requirements Applicable to All Covered Components: All Covered Components must:
      1. Identify and document personnel (by title or function) who require access to PHI in order to perform their permitted job functions (the “Workforce”).[4] Workforce members include those individuals directly or indirectly involved in (i) treating patients, (ii) obtaining payment for services rendered, or (iii) providing health care operations services for those Covered Components that treat patients.[5] 
      2. Supplement general University HIPAA training to ensure that new Workforce members, or those performing new tasks involving PHI receive appropriate training within a reasonable time of hire or change, as applicable, and document the receipt of such training.
      3. Require Workforce members to acknowledge their understanding of their HIPAA obligations by signing a Confidentiality Statement, in the form attached as Appendix D.
      4. Comply with the University’s HIPAA Compliance Program, which establishes institutional standards and procedures for the appropriate protection and management of PHI.
        1. Identify and implement administrative, physical, and technical measures to reasonably safeguard PHI from (i) any intentional or unintentional use or disclosure that is not permitted by this policy, and (ii) using or disclosing more than the minimum necessary amount of PHI for an incidental or permitted use or disclosure.[6]
        2. Ensure appropriate administrative, physical, and technical safeguards are implemented to protect the confidentiality, integrity, and availability of ePHI the Covered Components and their Business Associates create, receive, maintain or transmit; protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI; and protect against any reasonably anticipated uses or disclosures of ePHI that are otherwise not permitted by this policy.
      5. Use or disclose PHI only for the Covered Component’s own (i) treatment, (ii) payment, or (iii) health care operations purposes or for the treatment, payment, or health care operations purposes of other health care providers who have a direct or indirect treatment relationship with the patient. Forward any other requests for uses or disclosures of PHI to the University HIPAA Privacy Officer for review and coordination of response, including any requests for the use or disclosure of PHI for research.[7] 
      6. With the exception of uses and disclosures for treatment purposes, or as otherwise directed by the University HIPAA Privacy Officer,[8] limit the use or disclosure of PHI to the minimum necessary PHI required to achieve the payment or health care operations purpose.
      7. Forward to the University HIPAA Privacy Officer for review and response all of the following:
        1. Any proposed modifications to the University’s standard forms and any proposal to use any form other than the University’s standard forms;
        2. Any revocations of previously-received patient authorizations;
        3. Any patient requests for a restriction on the use or disclosure of PHI;
        4. Any patient requests for confidential communications;
        5. Any requests for patient access to or amendment or accounting of disclosures of their PHI.
      8. Confer with the University HIPAA Privacy Officer in the event it is unclear whether an individual qualifies as a personal representative for a patient.[9]
      9. Execute Business Associate Agreements when engaging, or being engaged by, a third party to perform a task or service involving the use or disclosure of PHI using the University’s standard form of Business Associate Agreement. See Appendix G and H, as applicable.
      10. Consult with the University HIPAA Privacy Officer when de-identifying PHI.
      11. Forward any request for the sale of PHI in the Covered Component’s custody or control to the University HIPAA Privacy Officer for review and response.
      12. In consultation with the University HIPAA Privacy Officer, mitigate, to the extent practicable, any known harmful effect of a use or disclosure of PHI in violation of this policy, including any breach of PHI.
      13. Document all steps taken to comply with this policy and maintain the documentation for six years from the date of creation or the date when it was last in effect, whichever is later.[10]
    3. Additional Requirements Applicable Only to Covered Components Directly Treating Patients: Covered Components directly treating patients must also:
      1. Designate a person to receive complaints regarding the Covered Component’s compliance with the policy (the “Contact Person”). The Contact Person will forward complaints to the University HIPAA Privacy Officer for review and response.
      2. Use the University’s standard HIPAA forms, as applicable, including the Notice of Privacy Practices,[11] Authorization to Release Medical Records,[12] and Business Associate Agreements.[13]
      3. If applicable, obtain an authorization from the patient to permit the Covered Component to use or disclose the patient’s PHI for research purposes.[14]
      4. Make the University’s Notice of Privacy Practices (the “Notice”) available by:
        1. Except in an emergency situation, providing new patients with the University’s Notice and, if possible, obtaining acknowledgment from the patient of its receipt or document the reason why it was not obtained;
        2. Posting a copy of the Notice in the waiting/reception area, as applicable;
        3. Providing a copy of the Notice to anyone who requests it and maintaining a supply of Notices at the reception desk for this purpose;
        4. Posting the Notice on its webpage, as applicable;
        5. Posting a communication on its webpage, as applicable, in the event the Notice is materially changed and offering to provide a paper copy of the Notice upon request.
      5. Coordinate any fundraising communications with the University HIPAA Privacy Officer prior to making the communication.
      6. Ensure that patients are not required to waive their rights under HIPAA (e.g., the right to access or amend their PHI; right to request an accounting of disclosures; right to request restrictions of additional disclosures; right to request confidential communications) as a condition to receiving treatment.

[1] In some cases, a unit, department, college, school or other part of the University (including a Covered Component) may agree to act as a Business Associate for other persons or entities subject to HIPAA that are not affiliated with the University.  These University components must register with the University HIPAA Privacy Officer as specified in Section IV.A.2.

[2] Appendix A provides the current listing of Covered Components.  Appendix B provides a summary of the University HIPAA Privacy Officer’s responsibilities.

[3] The responsibilities of the University HIPAA Security Officer are included as Appendix C.

[4] Students are included in the definition of “Workforce” if they are required to use or disclose PHI as a part of the functions they perform for a Covered Component.

[5] “Health care operations” is a broad category of permissible uses and disclosures of PHI.  It includes, among other things, uses and disclosures to conduct quality assessment and improvement activities (such as outcomes analysis) or to review the competence or qualifications of health care professionals.  Questions regarding whether a particular use or disclosure qualifies as a health care operations purpose should be directed to the University Privacy Officer.

[6] These types of incidental uses and disclosures occur, for example, when health care providers use a sign-in sheet or call a patient name in a waiting area.  Health care providers are permitted to use and disclose patient names in this manner even though others may hear the information as long as the information used or disclosed is appropriately limited to the minimum amount necessary to achieve the permitted purpose.  So, while using and disclosing the patient name may be permissible, specifying a diagnosis associated with the patient would not be.

[7] Using or disclosing PHI for research purposes is permissible only when certain criteria are satisfied.  The University HIPAA Privacy Officer will coordinate such requests according to the University’s Using PHI for Research Policy.  [Note:  This policy is currently under development.]

[8] The University HIPAA Privacy Officer will inform Covered Components in the event that a patient’s request to restrict certain disclosures of PHI or to receive communications regarding PHI in certain ways has been granted.

[9] “Personal representatives” means those persons who have authority under the law to act on behalf of individuals (e.g., a parent for a minor child).

[10] Refer to the University Archives and Records Management Policy. Policy UARM-X.

[11] See Appendix E.

[12] See Appendix F.

[13] See Appendix G (where the University is engaging the Business Associate); Appendix H (where the University is being engaged as a Business Associate).

[14] Refer to the University’s “Using PHI for Research Policy.”  [Note:  This policy is currently under development.]