University Policy 123

Health Insurance Portability and Accountability Act Compliance

Initially Approved: November 23 2015
Policy Topic: Governance
Administering Office: Health Services/Legal Counsel Office


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates health care providers, known as “Covered Entities” (Covered Entities or CE) that electronically maintain or transmit protected health information (PHI) in connection with a covered transaction. HIPAA requires each Covered Entity to maintain reasonable and appropriate administrative, technical and physical safeguards for privacy and security. Entities or individuals who contract to perform services for a Covered Entity with access to protected health information, known as a Business Associate (Business Associates) are also required to comply with the HIPAA privacy and security standards. Western Carolina University (WCU or University) is subject to the HIPAA regulations because certain units of the University conduct business and provide patient care that is subject to the regulations. WCU is required to identify its units that are Covered Entities, ensure compliance with safeguard and implementation specifications, and provide for enforcement of compliance with the HIPAA regulations. Western Carolina University designates HIPAA Security and Privacy Officers to provide campus-wide leadership for compliance.


  1. HIPAA –Part of federal regulations set forth to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and wellbeing.

  2. Protected Health Information–Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.

  3. Covered Entity - Any health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of the Department of Health and Human Services (DHHS) has adopted standards under HIPAA. Only units defined in Exhibit A shall be considered a Covered Entity for the purpose of this policy and any related procedure.

  4. Business Associate - A person or organization, other than a member of a Covered Entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Generally, the University will not enter become a Business Associate with an external organization or person in which the university is not the actual covered entity. Any Business Associate agreement must be approved by University Legal Counsel prior to the execution of said agreement.

  5. Notice of Privacy - A notice of a Covered Entity’s privacy practices which must be given to each patient explaining the covered entity’s safeguards to maintain patient confidentiality and the patient’s right to privacy.

  6. Confidentiality Statement - Written privacy policies and procedures that are consistent with the Privacy Rule outlining the employee’s responsibilities related to privacy practices. Each employee within the Covered Entity should have on file in his/her personnel record acknowledgement of training regarding the privacy rule and a signed statement agreeing to abide by the rule and protect the patient’s privacy.

  7. Release of Information – Form(s) that patients are required to provide to a covered entity granting permission for the entity to release confidential, protected health information.


The Covered Entity must:

  • Appoint a HIPAA compliance and security officer or officers.
  • Implement policies and procedures with respect to Protected Health Information (PHI) that comply with HIPAA regulations including, but not limited to, ensuring compliance with and enforcement of PHI security, use and disclosure with other University employees as well as any disclosures provided to external third parties. Updates to this policy and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes.
  • Maintain the policies and procedures in written (paper or electronic) form.
  • Implement a training program that includes computer security incident training and general security awareness that informs all of the Covered Entity’s staff, including management, of all policies and procedures that apply to them in their individual roles. Training should be provided routinely, on a periodic basis and should be documented for all employees.
  • Make the policy and training available to all staff responsible for implementing the policies and procedures to which the documentation applies.
  • Inform patients of the Covered Entity’s HIPAA policies and procedures and the patient’s rights and responsibilities, and receive and maintain written acknowledgement of receipt of such information.
  • Require a patient’s (or legal guardian if the patient is a minor) written authorization for Release of Information for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. The release of information should state patient’s name, date of birth and specific dates of service.
  • Promptly document and process any complaints of alleged HIPAA violations, mitigate any damages, investigate and address any violations.
  • Perform regular, ongoing monitoring, assessment, and revision, as necessary, to ensure continued compliance and enforcement of HIPAA standards.
  • Perform regular, ongoing monitoring, assessment and revision, as necessary, of HIPAA policies and procedures and documentation in response to environmental, operational, staff, technical, or legal changes.
  • Ensure that access to WCU PHI and electronic record systems is restricted to appropriately authorized and identified individuals, in accordance with this policy, University policy #97, Data Security and Stewardship, and University Policy #95, Data Network Security and Management.
  • Ensure that any requests for computer access to PHI data are reviewed by department managers in the appropriate healthcare area to determine the access rights of the workforce member. Access rights will only be granted for legitimate business purposes and should not exceed the minimum necessary for a workforce member’s assigned duties.
  • Ensure that department managers in designated health care areas will be responsible for documenting the location of PHI, either electronic or paper records, and implementing appropriate procedures to secure locations that contain PHI.


This policy shall be reviewed and revised as necessary every two (2) years.


  • International Standards Organization (ISO/IEC 27002, 18.1 Compliance with legal and contractual requirements)
    45 CFR Part 164, Subpart C, Security and Privacy

University Policy #52, Use of Computers and Data Communications

University Policy #95, Data Network Security and Access Control

University Policy #97, Data Security and Stewardship

University Policy #106, Identity Theft Prevention Program

University Policy #108, Records Retention and Disposition

University Policy #117, Information Security Policy

Departmental Policies:

Health Services Policy Patient Rights and Responsibilities.docx

Health Services Policy Patient Release of Information.docx


WCU Confidentiality Agreement: Confidentiality/Security Agreement

WCU Business Associate Agreement: HIPAA Business Associates Agreement

Office of Web Services