Carnegie Mellon University

SUPPLEMENT TO HIPAA POLICY

HIPAA Roles and Responsibilities

Purpose

The purpose of this document is to define roles and responsibilities that are essential to the implementation of Carnegie Mellon's Health Insurance Portability and Accountability Act Policy ("HIPAA Policy").

Scope

These roles and responsibilities apply to the Health Care Component, as defined by the HIPAA Policy, as well as those individuals who have been delegated authority to oversee the Health Care Component.

Roles and Responsibilities

Carnegie Mellon's HIPAA Policy states that, "the Health Care Component” shall maintain the privacy of PHI in accordance with the requirements of the HIPAA statute and regulations." The following roles and responsibilities have been defined for the purpose of implementing this policy.

1. Health Care Component (“HCC”)

As defined by Carnegie Mellon's HIPAA Policy, the University’s Health Care Component includes:

  • University Health Services (“UHS”), limited to standard health care services provided to students; and
  • Counseling and Psychological Services (“CaPS”), limited to psychiatry services provided to students. Each department within the Health Care Component is responsible for:
    1. Appointing an official to act as a liaison with the HIPAA Privacy Officer in developing appropriate policies, procedures and controls to comply the HIPAA Policy.
    2. Implementing policies, procedures and controls developed in collaboration with the HIPAA Privacy Officer to comply with the HIPAA Policy.
    3. Responding to any requests for a Business Associate Agreement, explaining the absence of Protected Health Information in the Health Care Component and thus that a Business Associate Agreement is not required.
    4. Notifying the HIPAA Privacy Officer to the extent there are any material changes in the health care services being provided by the Health Care Component or the billing arrangements, including billing of third party payors, with regard to such services. Approval of the HIPAA Privacy Officer shall be obtained before any material changes are implemented.

2. HIPAA Privacy Officer

The University HIPAA Privacy Officer is a University employee who is responsible for the development and implementation of the policies and procedures required to comply with the HIPAA Privacy Rule as defined by the Code of Federal Regulations, 45 C.F.R. 160, 162 and 164.

The HIPAA Privacy Officer is responsible for:

  1. Understanding the HIPAA Privacy Rule and how it applies to the Health Care Component. 
  2. Developing appropriate policies and procedures to comply with the HIPAA Privacy Rule.
  3. Overseeing the enforcement of patient privacy rights within the Health Care Component.
  4. Monitoring each department within the Health Care Component for compliance with privacy policies and procedures.
  5. Developing and implementing HIPAA privacy training for Workforce for each department in the Health Care Component.
  6. Receiving and responding to complaints of alleged non-compliance with the HIPAA Privacy Rule.

The HIPAA Privacy Officer may delegate his or her responsibilities to other university employees. The HIPAA Privacy Officer is appointed by the president of the university. The president has appointed the Associate Vice President for Community Health and Well-Being as the University HIPAA Privacy Officer.

3. Workforce

For the purpose of this policy, a Workforce member is any employee, volunteer, trainee or other person who performs work within a department in the Health Care Component and is under the direct control of the Health Care Component when performing such work.

Workforce are responsible for:

  1. Abiding by the HIPAA Policy and supporting procedures.
  2. Asking the HIPAA Privacy Officer to the extent there are any questions regarding compliance with the HIPAA Policy and supporting procedures.
  3. Reporting to the HIPAA Privacy Officer any incidents of non-compliance with the HIPAA Policy and supporting procedures.

If you have any questions or concerns related to these roles and responsibilities, please contact:

  • HIPAA Privacy Officer: Maureen Dasey-Morales, Associate Vice President for Community Health and Well-Being (412-268-2075).

Training of Workforce Members

All Workforce members within the Health Care Component must be trained on the Privacy Rule generally and the HIPAA Policy and supporting procedures, as applicable to their role or function, specifically. The HIPAA Privacy Officer shall oversee and document the HIPAA training and periodically update it to reflect any changes in the HIPAA Policy and supporting procedures.

Training Timing and Frequency. The Health Care Component shall train each new Workforce member within a reasonable time after the member joins a department or function within the Health Care Component. The Health Care Component will retrain each Workforce member whose functions are affected either by a material change in HIPAA, the HIPAA Policy and supporting procedures, or the Workforce member’s job functions, within a reasonable time after the change.

The Privacy Officer may request or require additional training or retraining for any Workforce member or group, as necessary and appropriate.

Documentation. The Privacy Officer shall document that HIPAA training for each Workforce member was provided and completed and the date of such training. The Privacy Officer shall maintain such records for six (6) years from the date of creation or the date when it was last in effect, whichever is later.

Complaints

The Health Care Component shall create a process for individuals, Workforce members, and members of the general public to lodge complaints about the Health Care Component’s privacy procedures. A copy of the complaint procedure shall be provided to any individual upon request.

Any Workforce member who knows of a violation of the HIPAA Policy, supporting procedures, or the Privacy Rule, or who receives a privacy complaint, shall promptly and without delay report such violation to the HIPAA Privacy Officer.

Complaints that appear to necessitate sanctioning of a Workforce member shall be addressed with the HIPAA Privacy Officer and Human Resources, as appropriate. Complaints that appear to necessitate revision or fine-tuning of the HIPAA Policy or supporting procedures shall be addressed by the HIPAA Privacy Officer. The HIPAA Privacy Officer shall handle all HIPAA complaints related to the Health Care Component’s compliance with the Privacy Rule and/or the HIPAA Policy and supporting procedures, and shall take primary responsibility for developing and maintaining the Health Care Component’s complaint process. The HIPAA Privacy Officer shall maintain a log of all complaints received regarding the Health Care Component’s privacy practices to track the status of the complaint.

Any Workforce member that has knowledge of any privacy complaint must keep this information confidential and use and disclose this information only as necessary to assist the HIPAA Privacy Officer in resolving the issue. The Health Care Component shall not intimidate, threaten, coerce, discriminate against, or retaliate against any Workforce member, individual, or other person who files a complaint.

Sanctions

The Health Care Component shall establish sanctions to be applied against Workforce members who fail to comply with the HIPAA Policy, supporting procedures, or the Privacy Rule. Such sanctions shall be appropriate to the severity of the infraction and may take account of repeat offenses and willful violation. They may include verbal warnings, written warnings placed in personnel files, termination of systems access privileges, and termination of employment and of future reemployment opportunities.

All such sanctions shall be appropriately documented and retained in accordance with the University’s disciplinary policies and procedures.

No sanction may be applied against a Workforce member on the basis that he/she: files a complaint with the Secretary of HHS or is involved in other investigations or actions regarding privacy; opposes any act or practice unlawful under HIPAA, provided that the Workforce member has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve a violation of the Privacy Rule; believes in good faith that the Health Care Component has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the Health Care Component potentially endangers one or more individuals, workers, or the public.

Prohibition Against Retaliation/Waiver of Rights

The Health Care Component will not intimidate, threaten, coerce, or discriminate against any individual who exercised his/her rights, or for participation in any process, provided for by the Privacy Rule, including the filing of a complaint. The Health Care Component will not require individuals to waive any rights under the Privacy Rule as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

Document Retention

The HIPAA Privacy Officer shall be responsible for maintaining documentation that include copies (written or electronic) of the following documents, and all other documents required to be maintained by the Privacy Rule, for at least six (6) years after the date they were created or (if later) the date they were last relied upon.

  • Health Care Component HIPAA Documents. Current and superseded copies of the HIPAA Policy and supporting procedures shall be maintained for six (6) years after the date they were last in effect.
  • Correspondence/Compliance Documents. All correspondence and documents relating to HIPAA complaints and investigations shall be maintained for six (6) years from the date of receipt, delivery or creation as applicable.
  • Workforce Documents. Workforce member confidentiality agreements, records of Privacy Rule training, and records of sanctions shall be maintained for six (6) years after termination of the Workforce member’s employment. The Privacy Officer shall maintain a log of training dates, training materials and Privacy Rule awareness activities for at least six (6) years from the date of such training or awareness.

Definitions

Health Information is defined as any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and that is related to the past, present or future physical or mental health condition of an individual, the provision of health care of an individual, or the past, present or future payment for the provision of healthcare to an individual.

Individually Identifiable Health Information is defined as any heath information, as defined above, that identifies an individual or where there is reasonable basis to believe that the information can be used to identify an individual.

Protected Health Information ("PHI") is defined as Individually Identifiable Health Information transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium. Protected Health Information does not include education records covered by, or treatment records excluded from, the Family Educational Rights and Privacy Act (20 U.S.C. 1232g) or employment records held by the University in its role as an employer.

Workforce member means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Health Care Component, is under the direct control of the Health Care Component, whether or not they are paid by the Health Care Component.