Administrative policy for privacy for protected health information
(1) "HIPAA." "HIPAA" is the "Health Insurance Portability and Accountability Act of 1996" and the "Administrative Simplification" regulations found in title 45 of the Code of Federal Regulations.
(2) Protected health information. Protected health information is individually identifiable health information as defined and protected under "HIPAA."
(B) Designation of privacy official.
(1) The President shall designate a privacy official who shall coordinate the university’s compliance with "HIPAA," including, but not limited to, gathering information sought by a requestor, providing for the inspection of such information by the requestor, furnishing copies to the requestor and receiving complaints.
(a) In order for the university to comply fully with "HIPAA," the university privacy official shall have full authority to gather such information as is necessary to comply with the request.
(b) The university privacy official shall have the authority to an individual or individuals to assist with "HIPAA" compliance obligations.
(2) All university employees shall cooperate fully with the university privacy official in "HIPAA" compliance efforts, including but not limited to, providing the records requested, allowing for proper inspection and copying of the records, and conducting inspections and audits as necessary to conform with the requirements of the law.
(3) The university privacy official shall designate those academic and administrative health care units covered by "HIPAA" as part of the covered health care component of the university. The university privacy official shall maintain a list of all units covered by "HIPAA" and of all other units included within the covered health care component of the university, which serve as business associates within the university covered health care component for "HIPAA" purposes.
(4) The university privacy official shall have the authority to review all privacy, confidentiality and security standards and procedures created by academic and administrative departments that are part of the covered health care component of the university and to direct changes to such standards and procedures as necessary.
(C) Unit requirements.
(1) Academic and administrative departments determined by the university privacy official to be part of the covered health care component of the university shall:
(a) Develop "HIPAA Policies and Procedures" that are unit specific standards and procedures to protect the privacy, confidentiality, and security of protected health information that comply with "HIPAA" and with this rule, which may be amended from time to time.
(b) Train all unit employees who have access to records protected by "HIPAA" on the "HIPAA: requirements, the university policies and procedures for release, privacy and security of selected health information, and the unit standard and procedures for privacy, confidentiality, and security of records protected by HIPAA." Such training must be conducted as the university privacy official deems necessary and within a reasonable period of time after a new individual joins one of the covered health care components.
(c) Distribute a notice of privacy practices as necessary under "HIPAA." The notice of privacy practices must contain all "HIPAA" required elements and be approved by the university privacy official prior to being distributed.
(d) Document compliance efforts as required by "HIPAA."
(e) Comply with all federal, state, and local laws and regulations related to the privacy, confidentiality, and security of medical information.
(D) Business Associates. Units within the covered health care component of the university may share protected health information with third parties, referred to as business associates, who provide the units within the covered component with services that use or involve health information. These units shall only share such information with business associates pursuant to a business associate approved by the office of university counsel.
(E) University employees. University employees in "HIPAA" covered components shall:
(1) Limit uses and disclosures of all health information to the minimum necessary to complete the assigned task.
(2) Upon discovery, report all incidents of misuse of improper disclosure of protected health information to the university privacy official.
(F) Retaliation. The university shall not tolerate nor engage in retaliation against any employee who reports an incident of misuse or improper disclosure of protected health information to the university privacy official or to the secretary of the department of health and human services.
(1) Any employees who uses or discloses protected health information contrary to this policy shall be subject to discipline under the applicable disciplinary policies or collective bargaining agreement.
(2) Covered components shall document any sanctions imposed for violations of this rule of the Administrative Code, or unit standards and procedures, as required by "HIPAA."
Effective: June 1, 2007
Prior Effective Dates: 6/12/2003