Health Insurance Portability and Accountability Act Compliance
Initially Approved: November 23 2015
Policy Topic: Governance
Administering Office: Health Services/Legal Counsel Office
I. POLICY STATEMENT
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates
health care providers, known as “Covered Entities” (Covered Entities or CE) that electronically
maintain or transmit protected health information (PHI) in connection with a covered
transaction. HIPAA requires each Covered Entity to maintain reasonable and appropriate
administrative, technical and physical safeguards for privacy and security. Entities
or individuals who contract to perform services for a Covered Entity with access to
protected health information, known as a Business Associate (Business Associates)
are also required to comply with the HIPAA privacy and security standards. Western
Carolina University (WCU or University) is subject to the HIPAA regulations because
certain units of the University conduct business and provide patient care that is
subject to the regulations. WCU is required to identify its units that are Covered
Entities, ensure compliance with safeguard and implementation specifications, and
provide for enforcement of compliance with the HIPAA regulations. Western Carolina
University designates HIPAA Security and Privacy Officers to provide campus-wide leadership
HIPAA –Part of federal regulations set forth to assure that individuals’ health information
is properly protected while allowing the flow of health information needed to provide
and promote high quality health care and to protect the public's health and wellbeing.
Protected Health Information–Any information about health status, provision of health care, or payment for health
care that can be linked to a specific individual.
Covered Entity - Any health plans, health care clearinghouses, and any health care provider who
transmits health information in electronic form in connection with transactions for
which the Secretary of the Department of Health and Human Services (DHHS) has adopted
standards under HIPAA. Only units defined in Exhibit A shall be considered a Covered
Entity for the purpose of this policy and any related procedure.
Business Associate - A person or organization, other than a member of a Covered Entity's workforce,
that performs certain functions or activities on behalf of, or provides certain services
to, a covered entity that involve the use or disclosure of individually identifiable
health information. Generally, the University will not enter become a Business Associate
with an external organization or person in which the university is not the actual
covered entity. Any Business Associate agreement must be approved by University Legal
Counsel prior to the execution of said agreement.
Notice of Privacy - A notice of a Covered Entity’s privacy practices which must be given to each patient
explaining the covered entity’s safeguards to maintain patient confidentiality and
the patient’s right to privacy.
Confidentiality Statement - Written privacy policies and procedures that are consistent with the Privacy Rule
outlining the employee’s responsibilities related to privacy practices. Each employee
within the Covered Entity should have on file in his/her personnel record acknowledgement
of training regarding the privacy rule and a signed statement agreeing to abide by
the rule and protect the patient’s privacy.
Release of Information – Form(s) that patients are required to provide to a covered entity granting permission
for the entity to release confidential, protected health information.
III. IMPLEMENTING PROCEDURES
The Covered Entity must:
- Appoint a HIPAA compliance and security officer or officers.
- Implement policies and procedures with respect to Protected Health Information (PHI)
that comply with HIPAA regulations including, but not limited to, ensuring compliance
with and enforcement of PHI security, use and disclosure with other University employees
as well as any disclosures provided to external third parties. Updates to this policy
and supporting information security policies will be communicated to all department
managers, and department managers are expected to update the department copies accordingly
and inform their workforce of changes.
- Maintain the policies and procedures in written (paper or electronic) form.
- Implement a training program that includes computer security incident training and
general security awareness that informs all of the Covered Entity’s staff, including
management, of all policies and procedures that apply to them in their individual
roles. Training should be provided routinely, on a periodic basis and should be documented
for all employees.
- Make the policy and training available to all staff responsible for implementing the
policies and procedures to which the documentation applies.
- Inform patients of the Covered Entity’s HIPAA policies and procedures and the patient’s
rights and responsibilities, and receive and maintain written acknowledgement of receipt
of such information.
- Require a patient’s (or legal guardian if the patient is a minor) written authorization
for Release of Information for any use or disclosure of protected health information
that is not for treatment, payment or health care operations or otherwise permitted
or required by the Privacy Rule. The release of information should state patient’s
name, date of birth and specific dates of service.
- Promptly document and process any complaints of alleged HIPAA violations, mitigate
any damages, investigate and address any violations.
- Perform regular, ongoing monitoring, assessment, and revision, as necessary, to ensure
continued compliance and enforcement of HIPAA standards.
- Perform regular, ongoing monitoring, assessment and revision, as necessary, of HIPAA
policies and procedures and documentation in response to environmental, operational,
staff, technical, or legal changes.
- Ensure that access to WCU PHI and electronic record systems is restricted to appropriately
authorized and identified individuals, in accordance with this policy, University
policy #97, Data Security and Stewardship, and University Policy #95, Data Network
Security and Management.
- Ensure that any requests for computer access to PHI data are reviewed by department
managers in the appropriate healthcare area to determine the access rights of the
workforce member. Access rights will only be granted for legitimate business purposes
and should not exceed the minimum necessary for a workforce member’s assigned duties.
- Ensure that department managers in designated health care areas will be responsible
for documenting the location of PHI, either electronic or paper records, and implementing
appropriate procedures to secure locations that contain PHI.
IV. POLICY REVIEW
This policy shall be reviewed and revised as necessary every two (2) years.
V. RELATED POLICIES, PROCEDURES or DOCUMENTS
- International Standards Organization (ISO/IEC 27002, 18.1 Compliance with legal and
45 CFR Part 164, Subpart C, Security and Privacy
University Policy #52, Use of Computers and Data Communications
University Policy #95, Data Network Security and Access Control
University Policy #97, Data Security and Stewardship
University Policy #106, Identity Theft Prevention Program
University Policy #108, Records Retention and Disposition
University Policy #117, Information Security Policy
Health Services Policy
Patient Rights and Responsibilities.docx
Health Services Policy
Patient Release of Information.docx
WCU Confidentiality Agreement:
WCU Business Associate Agreement:
HIPAA Business Associates Agreement