POLICY TITLE: Health Insurance Portability and Accountability Act Policy (HIPAA)
DATE OF ISSUANCE: March 16, 2010
ACCOUNTABLE DEPARTMENT/UNIT: Office of the General Counsel. Questions about policy content should be directed to Health Services, ext. 8-2157; or to Human Resources, ext. 8-5402.
ABSTRACT: Policy regarding compliance with the Health Insurance Portability and
Accountability Act of 1996 and subsequent federal regulations.
RELATED Documents: See HIPAA Supplement
In compliance with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191 as amended) (“HIPAA”), Carnegie Mellon University (“University”) has adopted the following Health Insurance Portability and Accountability Act Policy (“Policy”) to ensure reasonable protection of Protected Health Information (“PHI”), as defined by the Code of Federal Regulations 45 C.F.R. 160.103. It is the intent of this Policy to act as a supplement to, not a replacement for, other University Policies.
Declaration of Hybrid Entity Status
The University is a Covered Entity under the HIPAA statute and regulations, however, the business activities of the University include both covered and non-covered functions. Therefore, the University has designated itself as a Hybrid Entity whereby only certain components of the University are covered by the HIPAA Privacy and Security rules. The following areas of the University are designated as Covered Components:
· Student Health Services
· University Group Health Plan
· Individual employees within any part of the University (other than the Primary Components) who provide support services to any of the Primary Components and, as a part of such support services, have access to PHI. Such employees will be notified by the relevant Primary Component that the employees may have access to PHI.
Carnegie Mellon University’s designated Covered Components shall maintain the security and privacy of PHI in accordance with the requirements of the HIPAA statute and regulations.
The President of the University shall appoint a University HIPAA Privacy Officer responsible for coordinating compliance with the HIPAA Privacy Rule and a University HIPAA Security Officer responsible for coordinating compliance with the HIPAA Security Rule. The specific roles and responsibilities of these two officers shall be set forth in supplemental documentation developed by the University.
The University HIPAA Privacy Officer, the University HIPAA Security Officer and Primary Components shall coordinate to develop supplemental procedures to implement this Policy.
This Policy shall be reviewed by the Office of the General Counsel and the Primary Components as deemed necessary based on changes in the law and changes in technology that affect the protection of PHI. All iterations of this Policy shall be maintained for a period specified by applicable federal regulations.
Violations of this Policy may result in suspension or loss of the violator’s use privileges with respect to University Information Systems, and/or discipline up to and including termination of employment with the University. Additional civil, criminal and equitable remedies may apply.
Exceptions to this Policy must be approved by the University HIPAA Security Officer and the University HIPAA Privacy Officer in consultation with the Office of the General Counsel and relevant individuals in the Primary Components. All exceptions must be formally documented. Exceptions will be reviewed on a periodic basis for appropriateness.
Electronic Protected Health Information (“EPHI”) is defined as Individually Identifiable Health Information transmitted by electronic media or maintained in electronic media.1 Electronic Protected Health Information does not include education records or treatment records covered by the Family Educational Rights and Privacy Act (20 U.S.C. 1232g) or employment records held by the University in its role as an employer.
Health Information is defined as any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and that is related to the past, present or future physical or mental health condition of an individual, the provision of health care of an individual, or the past, present or future payment for the provision of healthcare to an individual.
Individually Identifiable Health Information is defined as any heath information, as defined above, that identifies an individual or where there is reasonable basis to believe that the information can be used to identify an individual.
Protected Health Information (“PHI”) is defined as Individually Identifiable Health Information transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium. Protected Health Information does not include education records or treatment records covered by the Family Educational Rights and Privacy Act (20 U.S.C. 1232g) or employment records held by the University in its role as an employer.