SUPPLEMENT TO HIPAA POLICY

 

-----------------------------------------

 

HIPAA Roles and Responsibilities

Purpose

 

The purpose of this document is to define roles and responsibilities that are essential to the implementation of Carnegie Mellon’s Health Insurance Portability and Accountability Act Policy (“HIPAA Policy”).

 

Scope

 

These roles and responsibilities apply to Covered Components, as defined by the HIPAA Policy, as well as those individuals who have been delegated authority to oversee the Covered Components.

 

Roles and Responsibilities

 

Carnegie Mellon’s HIPAA Policy states that, “Covered Components shall maintain the security and privacy of PHI in accordance with the requirements of the HIPAA statute and regulations.” The following roles and responsibilities have been defined for the purpose of implementing this policy.

 

1.       Covered Component

 

As defined by Carnegie Mellon’s HIPAA Policy, Covered Components include:

 

Primary Components

·         Student Health Services

·         University Group Health Plan

 

Support Employees

·         Individual employees within any part of the University (other than the Primary Components) who provide support services to any of the Primary Components and, as a part of such support services, have access to PHI.  Such employees will be notified by the relevant Primary Component that the employees may have access to PHI.

 

Primary Components and Support Employees are collectively referred to as “Covered Components.”

 

Each Primary Component is responsible for:

 

  1. Appointing an official to act as a liaison with the HIPAA Privacy Officer and the HIPAA Security Officer in developing appropriate policies, procedures and controls to comply the HIPAA Policy.

 

  1. Implementing policies, procedures and controls developed in collaboration with the HIPAA Privacy Officer and the HIPAA Security Officer to comply with the HIPAA Policy.

 

  1. Periodically conducting a risk assessment, in collaboration with the HIPAA Privacy Officer and the HIPAA Security Officer, to measure potential risks to the security and privacy of PHI within the Primary Component.

 

  1. Coordinating with the Office of General Counsel, the HIPAA Privacy Officer and the HIPAA Security Officer to ensure that an appropriate Business Associate Agreement is in place with a third-party, prior to conducting business that involves the handling of PHI applicable to the Primary Component.  Each Primary Component is responsible for maintaining copies of any Business Associate Agreements concerning the Primary Component.

 

  1. Notifying the relevant Support Employees that such employees may have access to PHI as a result of working with the Primary Component. 

 

Support Employees are responsible for:

 

  1. Following any policies, procedures and controls established by the Primary Components, the HIPAA Privacy Officer, and/or the HIPAA Security Officer regarding access to and the use of the PHI. 

 

  1. Cooperating with any risk assessment initiated by the Primary Components, the HIPAA Privacy Officer, and/or the HIPAA Security Officer. 

 

2.       HIPAA Privacy Officer

 

The University HIPAA Privacy Officer is a University employee who is responsible for the development and implementation of the policies and procedures required to comply with the HIPAA Privacy Rule as defined by the Code of Federal Regulations, 45 C.F.R. 160, 162 and 164. 

 

The HIPAA Privacy Officer is responsible for:

 

  1. Understanding the HIPAA Privacy Rule and how it applies within each Covered Component.

 

  1. Developing appropriate policies and procedures to comply with the HIPAA Privacy Rule.

 

  1. Overseeing the enforcement of patient privacy rights within each Covered Component.

 

  1. Monitoring each Covered Component for compliance with privacy policies and procedures.

 

  1. Developing and implementing HIPAA privacy training for employees within each Covered Component.

 

  1. Notifying the HIPAA Security Officer of any Business Associate Agreements that implicate EPHI, prior to the execution or amendment of any such agreement.

 

  1. Receiving and responding to complaints of alleged non-compliance with the HIPAA Privacy Rule.

 

The HIPAA Privacy Officer may delegate his or her responsibilities to other University employees.  The HIPAA Privacy Officer is appointed by the President of the University.  The President has appointed the Vice President for Campus Affairs as the University HIPAA Privacy Officer.

 

3.       HIPAA Security Officer

 

The University HIPAA Security Officer is a University employee who is responsible for coordinating compliance with the HIPAA Security Rule as defined by the Code of Federal Regulations, 45 C.F.R. 160, 162 and 164. 

 

The HIPAA Security Officer is responsible for:

 

  1. Understanding the HIPAA Security Rule and how it applies within each Covered Component.

 

  1. Developing appropriate policies and procedures to comply with the HIPAA Security Rule

 

  1. Overseeing the security of EPHI within each Covered Component.

 

  1. Monitoring each Covered Component for compliance with EPHI security policies and procedures.

 

  1. Identifying and evaluating threats to the confidentiality and integrity of EPHI.

 

  1. Responding to actual or suspected breaches in the confidentiality or integrity of EPHI.

 

The HIPAA Security Officer may delegate his or her responsibilities to other University employees.  The HIPAA Security Officer is appointed by the President of the University.  The President has appointed the Director of Information Security as the University HIPAA Security Officer.

 

4.       User

 

For the purpose of this policy, a User is any employee within a Primary Component or a Support Employee who is authorized to access PHI and/or access University Information Systems that store EPHI.

 

A User is responsible for:

 

a.       Abiding by the HIPAA Policy and supporting procedures.

 

b.      Reporting actual or suspected vulnerabilities in the confidentiality or integrity of PHI to the HIPAA Privacy Officer and/or the HIPAA Security Officer.

 

c.       Reporting actual or suspected breaches in the security or privacy of PHI to the HIPAA Privacy Officer and/or the HIPAA Security Officer.

 

d.      Reporting suspicious requests for PHI to the HIPAA Privacy Officer and/or the HIPAA Security Officer.

 

 

Additional Information

 

If you have any questions or concerns related to these roles and responsibilities, please contact:

 

·         HIPAA Privacy Officer:                           Michael Murphy, Vice President for Campus Affairs (ext. 8-2057)

 

·         HIPAA Security Officer:                         Mary Ann Blair, Director of Information Security Office (ext. 8-8556)

 

·         HIPAA Benefits Officer:                         Joyce Heckmann, Director of Benefits (ext. 8-5402)

 

·         HIPAA Student Health Officer:           Lori Smith, Student Insurance Coordinator (ext. 8-2157)

 

Definitions

 

Electronic Protected Health Information (“EPHI”) is defined as Individually Identifiable Health Information transmitted by electronic media or maintained in electronic media.1 Electronic Protected Health Information does not include education records or treatment records covered by the Family Educational Rights and Privacy Act (20 U.S.C. 1232g) or employment records held by the University in its role as an employer.

 

Health Information is defined as any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and that is related to the past, present or future physical or mental health condition of an individual, the provision of health care of an individual, or the past, present or future payment for the provision of healthcare to an individual.

 

Individually Identifiable Health Information is defined as any heath information, as defined above, that identifies an individual or where there is reasonable basis to believe that the information can be used to identify an individual.

 

Information System is defined as any electronic system that stores, processes, or transmits information.

 

Protected Health Information (“PHI”) is defined as Individually Identifiable Health Information transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium.  Protected Health Information does not include education records or treatment records covered by the Family Educational Rights and Privacy Act (20 U.S.C. 1232g) or employment records held by the University in its role as an employer.