Health Insurance Portability and Accountability Act Compliance
Initially Approved: November 23, 2015
Revised: October 11, 2022
Technical Change: February 20, 2023
Policy Topic: Governance and Administration
Administering Office: Health Services/Legal Counsel Office
I. POLICY STATEMENT
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates
health care providers, known as “Covered Entities” (Covered Entities or CE) that electronically
maintain or transmit protected health information (PHI) in connection with a covered
transaction. HIPAA requires each Covered Entity to maintain reasonable and appropriate
administrative, technical, and physical safeguards for privacy and security. Entities
or individuals who contract to perform services for a Covered Entity with access to
protected health information, known as a Business Associate (Business Associates)
are also required to comply with the HIPAA privacy and security standards. Western
Carolina University (WCU or University) is subject to the HIPAA regulations because
certain units of the University conduct business and provide patient care that is
subject to the regulations. WCU is required to identify its units that are Covered
Entities, ensure compliance with safeguard and implementation specifications, and
provide for enforcement of compliance with the HIPAA regulations. Western Carolina
University designates HIPAA Security and Privacy Officers to provide campus-wide leadership
for compliance.
II. DEFINITIONS
- HIPAA –Part of federal regulations set forth to assure that individuals’ health information
is properly protected while allowing the flow of health information needed to provide
and promote high quality health care and to protect the public's health and wellbeing.
- HITECH – The Health Information Technology for Economic and Clinical Health Act (HITECH)
was enacted in 2009 to promote and expand the adoption of health information technology,
specifically the use of electronic health records by healthcare providers. The act
also tightened up the language of HIPAA and instituted an enforcement process for
HIPAA violations that was previously missing.
- Protected Health Information–Any information about health status, provision of health care, or payment for health
care that can be linked to a specific individual.
- Covered Entity - Any health plans, health care clearinghouses, and any health care provider who
transmits health information in electronic form in connection with transactions for
which the Secretary of the Department of Health and Human Services (DHHS) has adopted
standards under HIPAA. Only units defined in Exhibit A shall be considered a Covered
Entity for the purpose of this policy and any related procedure.
- Business Associate - A person or organization, other than a member of a Covered Entity's workforce,
that performs certain functions or activities on behalf of, or provides certain services
to, a covered entity that involve the use or disclosure of individually identifiable
health information. Generally, the University will not enter a business associate
agreement or become a Business Associate with an external organization or person in
which the university is not the actual covered entity. Any Business Associate agreement
must be approved by University Legal Counsel prior to the execution of said agreement.
- Notice of Privacy - A notice of a Covered Entity’s privacy practices which must be given to each patient
explaining the covered entity’s safeguards to maintain patient confidentiality and
the patient’s right to privacy.
- Confidentiality Statement - Written privacy policies and procedures that are consistent with the Privacy Rule
outlining the employee’s responsibilities related to privacy practices. Each employee
within the Covered Entity should have on file in his/her personnel record acknowledgement
of training regarding the privacy rule and a signed statement agreeing to abide by
the rule and protect the patient’s privacy.
- Release of Information – Form(s) that patients are required to provide to a covered entity granting permission
for the entity to release confidential, protected health information.
III. IMPLEMENTING PROCEDURES
The Covered Entity must:
- Appoint a HIPAA compliance and security officer or officers.
- Implement policies and procedures with respect to Protected Health Information (PHI)
that comply with HIPAA regulations including, but not limited to, ensuring compliance
with and enforcement of PHI security, use and disclosure with other University employees
as well as any disclosures provided to external third parties. Updates to this policy
and supporting information security policies will be communicated to all department
managers, and department managers are expected to update the department copies accordingly
and inform their workforce of changes.
- Maintain the policies and procedures in written (paper or electronic) form.
- Implement a training program that includes computer security incident training and
general security awareness that informs all the Covered Entity’s staff, including
management, of all policies and procedures that apply to them in their individual
roles. Training should be provided routinely, on a periodic basis and should be documented
for all employees.
- Make the policy and training available to all staff responsible for implementing the
policies and procedures to which the documentation applies.
- Inform patients of the Covered Entity’s HIPAA policies and procedures and the patient’s
rights and responsibilities and receive and maintain written acknowledgement of receipt
of such information.
- Require a patient’s (or legal guardian if the patient is a minor) written authorization
for Release of Information for any use or disclosure of protected health information
that is not for treatment, payment or health care operations or otherwise permitted
or required by the Privacy Rule. The release of information should state patient’s
name, date of birth and specific dates of service.
- Promptly document and process any complaints of alleged HIPAA violations, mitigate
any damages, investigate, and address any violations.
- Perform regular, ongoing monitoring, assessment, and revision, as necessary, to ensure
continued compliance and enforcement of HIPAA standards.
- Perform regular, ongoing monitoring, assessment, and revision, as necessary, of HIPAA
policies and procedures and documentation in response to environmental, operational,
staff, technical, or legal changes.
- Ensure that access to WCU PHI and electronic record systems is restricted to appropriately
authorized and identified individuals, and protected in accordance with this policy,
University policy #97, Data Security and Stewardship, and University Policy #106,
Identity Theft Prevention Program
- Ensure that any requests for computer access to PHI data are reviewed by department
managers in the appropriate healthcare area to determine the access rights of the
workforce member. Access rights will only be granted for legitimate business purposes
and should not exceed the minimum necessary for a workforce member’s assigned duties.
- Ensure that department managers in designated health care areas will be responsible
for documenting the location of PHI, either electronic or paper records, and implementing
appropriate procedures to secure locations that contain PHI.
- Ensure that Business Associate Agreements are compliant with HIPAA standards and the
HITECH act.
IV. POLICY REVIEW
This policy shall be reviewed and revised as necessary every two (2) years.
V. RELATED POLICIES, PROCEDURES or DOCUMENTS
International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational
Controls)
45 CFR Part 164, Subpart C, Security and Privacy
University Policy #52, Responsible Use of Information Technology Resources
University Policy #97, Information Security and Privacy Governance
University Policy #106, Identity Theft Prevention Program
University Policy # 122, Video Capture Policy
EXHIBIT A – Western Carolina University employees subject to HIPAA regulations
Employees that work in direct patient care areas and generate medical records, including:
- Health Services (includes Campus EMS)
- Counseling and Psychological Services
- Department of Sports Medicine (Athletics)
- Speech and Hearing Clinic
- Physical Therapy Clinic
- WCU Psychological Services Clinic
- Any other employees that provide patient care and generate medical records
Employees that through the required responsibilities of the position, potentially
have access to PHI:
- Information Technology staff
- Environmental Services staff that clean in patient care areas
- Safety and Risk Management Office (worker’s compensation administration)
- Legal Counsel
- Compliance Officer
- Title IX Coordinator
Employees that provide direct oversight, management, and administrative duties on
behalf of the university:
- Student Concern Response Team
- Executives/Administrators with organization responsibility for patient care area
Departmental Policies:
Health Services Policy Patient Rights and Responsibilities.docx
Health Services Policy Patient Release of Information.docx
Documents:
WCU Confidentiality Agreement: Confidentiality/Security Agreement
WCU Business Associate Agreement: HIPAA Business Associates Agreement