Texas Woman's University University Regulation and Procedure Regulation and Procedure Name: HIPAA Privacy and Security Policy and Procedures Regulation and Procedure URP: 01.270 Number: Policy Owner: Finance and Administration, Office of General Counsel, and Student Life POLICY STATEMENT These University Regulation and Procedures (“URP”) are designed to specify Texas Woman’s University’s (“TWU” or the “University”) compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and as amended under the American Recovery and Reinvestment Act of 2009 and by Section 181.001(b) of the Texas Health and Safety Code. These URP provide for the protection and security of a person’s medical information. The establishment of these URP demonstrates TWU’s commitment to ensuring individuals’ have access to their medical information and are provided protections regarding its use and disclosure. These URP meet the Department of Health and Human Services requirements that TWU communicate clear and specific compliance standards and procedures to applicable parties. TWU is a hybrid entity, as its primary function is not health care; however, some components of TWU use, or may use, or disclose protected health information (“PHI”). TWU consists of health care service components, other services that support the business operations of the health care components, as well as components that are not related to health care services. Only health care components and those components that provide business support to the health care components must comply with all provisions of the privacy rule (see the list on p. ii). However, all TWU components should strive to protect the confidentiality and privacy of PHI consistent with these policies and procedures. The release of protected information from the covered service or function of TWU to the non-covered service or function of TWU is considered a disclosure under the HIPAA Privacy Rule (the “Privacy Rule”) for which an authorization must be obtained. However, if a non-health care TWU component provides business associate-like services to the health care component of TWU, and if it is so designated, an authorization is not needed, but the Privacy Rule applies to that component. The Texas Medical Privacy Act supplements the federal requirements, and it considers a covered entity to be any entity or person that uses, possesses, or obtains PHI. HIPAA regulations will be followed in administrative activities undertaken by assigned personnel when they involve PHI in any of the following circumstances: health information p. i privacy, health information security and health information electronic transmission. TWU employs appropriate and comprehensive security and privacy measures that build and maintain a commitment to achieve security and privacy of protected health information. (45 CFR 164.504) The HIPAA Compliance Officer of TWU, in consultation with the General Counsel of TWU, shall define the health care components of the University and those entities that provide business associate type support services. The remaining components will be designated as non-covered components. The HIPAA Compliance Officer in consultation with the TWU General Counsel will also review this list annually, and will update it as needed. (45 CFR 164.504) Health care components at TWU considered Covered Entities where HIPAA applies are: ● Athletic Trainers ● Student Health Services Components at TWU that are not Covered Entities under HIPAA (due to not engaging in HIPAA transactions), but which have regular and substantial contact with PHI and therefore will still be subject to these policies and procedures, are: ● Counseling and Family Therapy Clinic ● Counseling Center ● Dental Hygiene Clinic ● Institute/Women’s Health (including Pioneer Performance Clinic) ● College of Nursing ● Occupational Therapy/Physical Therapy ● Research Group ● Speech-Language-Hearing Clinic ● Stroke Center These health care components will each maintain a list of their respective business associates. Components at TWU that are not Covered Entities, that do not have regular contact with PHI, and that will not be subject to these policies and procedures, are: ● Woodcock Institute These Policies shall apply to all health care components listed above. Additionally, all other components of the University that regularly deal with PHI shall consider the efficacy of these policies and, where applicable, comply with these policies to the extent appropriate. It is the goal of the University that, even where HIPAA is not specifically applicable to a particular University component, that component will strive for HIPAA compliance as if that component were actually a covered entity under HIPAA. APPLICABILITY This policy is applicable to TWU Faculty, Staff, Students, and Guests. p. ii Table of Contents Table of Contents ......................................................................................................... iii PROCEDURES ............................................................................................................... 1 ADMINISTRATIVE REQUIREMENTS ............................................................................ 1 Business Associate Contracts and other Arrangements (45 CFR 164.504) ................. 1 Personnel Designations ................................................................................................ 2 HIPAA Compliance Officer (45 CFR 164.530) ......................................................... 2 Privacy Officer and Contact Person (45 CFR 164.530) ............................................ 3 Security Officer and TWU Information Security Officer ............................................ 4 HIPAA Privacy and Security Committee .................................................................. 5 Documented Privacy Training (45 CFR 164.530) ......................................................... 6 Documentation of Signed Employee Confidentiality Statement .................................... 7 Notice of Privacy Practice ............................................................................................. 8 Consent for the Use and Disclosure of PHI ................................................................ 11 Specially Protected Medical Records ......................................................................... 11 De-Identification of PHI (45 CFR 164.502, 164.514) .................................................. 12 Authorization Requirements for Use and Disclosure (45 CFR 164.508) ..................... 13 Uses and Disclosures of PHI ...................................................................................... 19 PATIENT RIGHTS......................................................................................................... 35 Access and Denial of Patient Request for PHI (45 CFR 164.524) .............................. 35 Denial of Access to PHI .............................................................................................. 38 Patient Right to Restrict Access of Uses and Disclosures (45 CFR 164.522) ............ 39 Patient Right to Amend One’s Own Protected Health Information (45 CFR 164.526) 40 Accounting for Disclosures and Patient Access to Disclosure Logs (45 CFR 164.528, 164.530) ..................................................................................................................... 43 HIPAA BREACH NOTIFICATION ................................................................................. 46 Notification General Rule: HITECH Section 13402 ..................................................... 46 Methods of Notification ............................................................................................... 48 Content of Notification (to the Individual) .................................................................... 49 Sanctions for Breaches (45 CFR 164.530) ................................................................. 49 Prohibition of Retaliation (45 CFR 164.530) ............................................................... 50 SECURITY .................................................................................................................... 51 General Standards (45 CFR 164.306(a), 306(b)(2), 316(a)) ...................................... 51 Designation of a Security Officer (45 CFR 164.308(a)(2)) .......................................... 52 Workforce Training (45 CFR 164.308(a)(5)) ............................................................... 53 Documentation (45 CFR 164.316(b)(i)-(iii); 22 Tex. Admin. Code §165.1) ................. 54 Mitigation (45 CFR 164.308(a)(6)(i)-(ii)) ..................................................................... 55 Security Management Process (45 CFR 164.308(a)(1)(i)) ......................................... 55 Security Management Process: Risk Analysis (45 CFR 164.308(a)(1)(ii)(A))............. 56 Security Management Process: Risk Management (45 CFR 164.308(a)(1)(ii)(B)) ..... 57 Security Management Process: Sanction Policy (45 CFR 164.308(a)(1)(ii)(C)) ......... 58 Security Management Process: Information System Activity Review (45 CFR 164.308(a)(1)(ii)(D)) .................................................................................................... 59 Workforce Security (45 CFR 164.308(a)(3)(i)) ............................................................ 59 p. iii Workforce Security: Authorization and/or Supervision Policy (45 CFR 308(a)(3)(ii)(A)) ..................................................................................................................................
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages154 Page
-
File Size-