SUBJECT: HIPAA Compliance
DESCRIPTION: The federal Health Insurance Portability And Accountability Act of 1996 (HIPAA) requires certain entities, e.g., certain health care providers, health plans, and health care organizaitons, maintaining personally identifiable health information to implement policies and procedures, effective April 14, 2003, to safeguard the use and disclosure of such health information. Washburn University is not required to adopt the policies for its entire operation; rather, it may designate as a "hybrid entity" only those health care components of the University which have such information as a "hybrid entity." Student records protected under the Family Educational Rights and Privacy Act (FERPA) and employee records are exempt. The only component of the University subject to the act is our group health plan as it is a self-insured plan. The University is also required to designate a Privacy Officer to develop and implement the policies and procedures, provide training and respond to requests made under the act.
FINANCIAL IMPLICATIONS: N/A
RECOMMENDATION: President Farley recommends the Board of Regents: designate, as a hybrid entity for purposes of HIPAA compliance, the University's group health plan and of _________________its the Privacy Officer; and approve the attached policy statement for compliance with HIPAA.
(date) Jerry B. Farley, President
A. Designation of "Hybrid Entity"
For purposes of complying with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and implementing regulations, the Washburn University Board of Regents has designated its group health plan as its health care component performing functions covered by, and subject to, the act.
B. General Policy On Use and Disclosure of Health Information
It is the policy of the Board of Regents that the hybrid entity created for HIPAA purposes comply in all respects with the provisions of the privacy rules adopted by the Secretary of the U.S. Department of Health and Human Services which are summarized herein for guidance to the entity and its Privacy Officer in the development and implementation of procedures required under the act.
Except as required and/or permitted by law, the use and disclosure of health information of an individual maintained by the hybrid entity or maintained by any of its business associates will occur only with the consent of or authorization by such individual. Health information means any information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care by a health care provider to an individual. "Health record", for purposes of this policy, means any record, maintained by the group health plan or its business associate which contains health information. The term "health record" does not include, however, student records subject to the Family Education Rights and Privacy Act (FERPA) and employee records. With the exception of purposes related to treatment, payment or health care operations, access to an individual's protected health information must be limited to only that necessary to accomplish the intended purpose of the approved use, disclosure or request.
Protected health information may be accessed, used, or disclosed only by authorized personnel and business associates; provided, however, such access, use or disclosure shall be restricted to the minimum necessary to execute their respective responsibilities. The unauthorized access to, or unauthorized use or disclosure of, health information in a health record shall subject the responsible employee to disciplinary action up to and including suspension or termination of employment.
C. Individual Rights
1. General Rule. Individuals have the right, except as otherwise provided by applicable regulation, to request to:
a. inspect and obtain copies of their own protected health information in their health record, subject to specific exceptions provided for by law or regulation;
b. request the amendment of their health information in their health record; and
c. request an accounting of disclosures of their health information, except for those made for purpose of:
(i) treatment, payment an health care operations; or
(ii)authorized by the individual.
2. Restrictions on Use and Disclosure.
a. Requests. Individuals are permitted to request restrictions on the uses and disclosure of protected health information (i) treatment, payment or health care operations; and, (ii) for instances in which use and disclosure is subject to objection or agreement by the individual pursuant to regulation.
b. Agreement to Restrict Use and Disclosure There is no requirement that any entity agree to restrict disclosure. However, in the event an agreement is made to restrict the use and/or disclosure of health information, such restriction shall be observed except as otherwise permitted by regulation to be used or disclosed for purposes of providing emergency care to the requestor.
c. Termination of Restriction. As provided by regulation, the restriction may be terminated by the individual in writing or orally or by the group health plan. In the event the termination of the restriction is by the group health plan, such termination is only effective as to protected health information created or received after notifying the individual of termination.
3. Request for Confidential Communication.
a Request. Individuals are permitted to request that protected health information be communicated to them by alternative means or at alternative locations if disclosure of all or part of the information endangers the individual.
b. Conditions for Request. A request for confidential communication must be made in writing, specify the alternative address or other method of contact and state that disclosure of all or part of the information to which the request pertains could endanger the individual.
4. Marketing and Fundraising. Except as otherwise permitted by regulation. protected health information may not be used or disclosed for marketing or fundraising purposes. The terms "Marketing" and Fundraising" shall have the meanings provided for in the Secretary's regulations.
5. Notice of Privacy Practices. Individuals participating in the group health plan shall be provided the Notice of Privacy Practices required by law and regulation and shall include a reservation of rights to change the privacy practices and the terms of the required notice as permitted by regulation.
6. Complaints. Individuals who have a concern the group health plan may have violated their rights may file a complaint with the Contract Office designated on the Notice of Privacy Practices or may file a written complaint with the U.S. Department of Health and Human Services. Should an individual wish to file a complaint with the U.S. Department of Health and Human Services, the Contact Office will furnish that address.
7. Privacy Officer. _____________________is designated as the person to serve as the entities Privacy Officer required by regulation to develop and implement all procedures for compliance with HIPAA.