20.17 / Protected Health Information

  1. Purpose

    The purposes of this policy are to (1) designate Wichita State University as a hybrid entity, (2) designate certain units of the University as “Covered Components, “Other Clinics,” and “Supporting Units;” (3) define the University’s organizational and administrative responsibilities as they pertain to Health Information, as required under federal and state law; and (4) designate a University Privacy Officer and University Security Officer and identify their general administrative responsibilities.

  2. Scope

    This policy applies to all University Covered Components, Other Clinics, and Supporting Units and their respective Workforce members who are involved in the creation, receipt, transmission, storage, or disposition of Protected Health Information. A current list of Covered Components, Other Clinics, and Supporting Units may be obtained by contacting the Privacy Officer.

  3. Policy

    Wichita State University is committed to protecting individuals’ health information in compliance with all applicable laws and regulations. Accordingly, in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Privacy and Security Regulations at 45 CFR §§ 160 and 164 (hereinafter collectively, “HIPAA”), Wichita State University has adopted the following Health Insurance Portability and Accountability Act Policy which shall serve as a supplement to other university policies as well as federal and state laws.

    HIPAA specifically excludes from its purview “treatment records” or student “education records” covered by the Family Educational Rights and Privacy Act (FERPA) as defined at 20 U.S.C. 1232g or in 34 CFR Part 99, as well as records of an employer in the capacity of employer, such as workers’ compensation records and records retained regarding requests for leave.

    Capitalized terms in this policy have those meanings as set forth in Appendix A, “HIPAA Definitions.”

  4. Hybrid Entity Designation

    1. HIPAA applies to individuals and organizations meeting the definition of “Covered Entities.” Covered Entities include group health plans, health care providers who conduct certain transactions electronically — including but not limited to transmissions of health care claims — health care payments, enrollment in a health plan and referral authorizations and health care clearinghouses. Although the University does not primarily or solely engage in any of these activities, some units within the University perform functions that bring them within the definition of a Covered Entity.

    2. WSU has designated itself a Hybrid Entity in accordance with HIPAA. As such, it must designate as part of its Covered Functions any component that would meet the definition of a covered entity if it were a separate legal entity (“Covered Component”). A current list of the University’s Covered Components, including Supporting Units, can be obtained by contacting the Privacy Officer.

  5. Operational Guidelines

    In addition to this policy, the University has issued operational guidelines (“HIPAA Operational Guidelines”) regarding the privacy and security of Individuals’ Health Information. These operational guidelines are merely the University’s minimum standards for HIPAA compliance. Covered Components, Other Clinics, and Supporting Units may find it necessary to adopt additional operational protocols and procedures for their specific unit. Any such unit-specific operational protocols and procedures must be approved by the Privacy Officer and the Security Officer prior to implementation. A copy of the HIPAA Operational Guidelines, as well as unit-specific protocols and procedures may be obtained by contacting the Privacy Officer.

  6. Roles and Responsibilities

    1. Privacy Officer

      1. The President of the University shall designate a Privacy Officer who shall be responsible for coordination of the University’s HIPAA compliance efforts. The duties and responsibilities of the Privacy Officer will include, but are not limited to:

        1. reviewing and overseeing all privacy, confidentiality and security standards and procedures created by the Covered Components, Other Clinics, and Supporting Units;

        2. providing HIPAA guidance and acting as a compliance resource to the Workforce;

        3. overseeing the development and implementation of Privacy and Security Awareness Training;

        4. establishing and administering a process for receiving, documenting, investigating and taking action on complaints, concerns, or reports of breach regarding Health Information;

        5. cooperating with the government, other legal entities, and University administrators, as necessary, in any compliance reviews or investigations;

        6. regularly monitoring changes to privacy laws and regulations to help ensure the University continues to conform to the applicable standards of confidentiality and privacy;

        7. assisting with the identification and development of Business Associate relationships and Business Associate Agreements; and

        8. working with the Security Officer on HIPAA Security Rule compliance efforts and incorporating relevant security content into the Privacy and Security Awareness Training.

      2. The Privacy Officer shall have authority to appoint an individual or individuals to assist with HIPAA Privacy Rule compliance obligations.

    2. Security Officer

      1. The President of the University shall designate a Security Officer who shall be responsible for coordination of the University’s HIPAA Security Rule compliance. The duties and responsibilities of the Security Officer will include, but are not limited to:

        1. developing, implementing, maintaining, and ensuring adherence to the University’s security policies;

        2. overseeing HIPAA training and guidance to the Workforce members on security matters;

        3. receiving any complaints or inquiries about security matters and responding to such complaints or inquiries;

        4. documenting all security-related complaints or inquiries received and ensuring complaints are investigated;

        5. cooperating with the government, other legal entities, and University administrators in any compliance reviews or investigations;

        6. working with appropriate technical personnel to protect Electronic PHI from unauthorized Use or Disclosure, and to ensure the availability and integrity of Electronic PHI; and

        7. conducting periodic security audits and taking remedial action, as necessary.

    3. Privacy Liaisons/Committee

      There is hereby established a University HIPAA Committee. This Committee shall be comprised of one (1) representative from each of the Covered Components and Other Clinics and one (1) representative who shall serve on behalf of the Supporting Units. The Committee is charged with providing broad strategic guidance and oversight to support the University’s overall HIPAA compliance effort(s).

  7. Uses and Disclosures of Protected Health Information

    1. Use and Disclose without authorization

      Covered Components may Use and Disclose PHI without the Individual’s Authorization in the following specific instances:

      1. For purposes of Treatment, Payment or Health Care Operations (“TPO”)

      2. Uses and Disclosures Required by Law

      3. Uses and Disclosures for Public Health Activities

      4. Disclosures About Victims of Abuse, Neglect or Domestic Violence

      5. Uses and Disclosures for Health Oversight Activities

      6. Disclosures for Judicial and Administrative Proceedings

      7. Disclosures for Law Enforcement Purposes

      8. Uses and Disclosures for Cadaveric Organ, Eye, Tissue Donation

      9. Uses and Disclosures for Research Purposes

      10. Uses and Disclosures to Avert a Serious Threat to Health or Safety

      11. Uses and Disclosures for Specialized Government Functions

      12. Disclosures for Workers' Compensation

      13. Disclosures to Friends and Family Members Involved in an Individual’s Care

      14. Disclosures Regarding the Location of the Individual in a Disaster

    2. Disclosure without authorization

      Covered Components may also Disclose PHI without obtaining Authorization from the Individual in the following specific instances:

      1. To another Covered Entity for Treatment performed by the other Covered Entity;

      2. To another Covered Entity for the other Covered Entity’s Payment activities; and

      3. To another Covered Entity for the other Covered Entity’s Health Care Operations in certain limited circumstances.

    3. Written Authorization Required

      Uses and Disclosures of PHI for purposes other than those set forth herein require a valid written Authorization from the Individual.

    4. Minimum Necessary Requirements

      1. When required by the HIPAA Privacy Rule, each Covered Component shall make reasonable efforts to verify the need for and to limit the Use and/or the Disclosure of PHI to only that information necessary to accomplish the intended purpose of the Use or Disclosure.

      2. Covered Components will not Disclose an Individual’s entire record or file unless the Disclosure is not subject to the minimum necessary requirements or the Covered Component has documented justification for making the Disclosure.

    5. Identity Verification Prior to Disclosure

      Covered Components will Disclose PHI only after verifying the identity and authority of the person or entity requesting the PHI, in accordance with this policy, HIPAA Operational Guidelines, and unit-specific protocols and procedures.

  8. Individual Rights

    The HIPAA Privacy Rule provides Individuals with certain rights related to their PHI, which include:

    1. The Right to Receive a Notice of Privacy Practices. Individuals receiving services from a Covered Component that performs Covered Functions will be notified of how and when it may Use and/or Disclose their PHI; this is accomplished through the provision and posting of a Notice of Privacy Practices (“NPP”).

    2. The Right to Place Restrictions on the Use and Disclosure of PHI. Individuals have the right to request restrictions on how a Covered Component Uses and/or Discloses their PHI for TPO purposes, for notification purposes, and to family members or friends involved in the Individual’s care or payment for the Individual’s care.

    3. The Right to Request Access to PHI. Individuals generally have the right to access or receive copies of their PHI maintained by a Covered Component, subject to certain limitations set forth in the relevant University guideline(s).

    4. The Right to an Accounting of Disclosures. Individuals have a right to an accounting of certain Disclosures of PHI that are made by a Covered Component. Each Covered Component will maintain a record of the Disclosures that are required to be documented and will provide an Individual with an accounting of such Disclosures.

    5. The Right to Request an Amendment of Protected Health Information. Individuals generally have the right to request that the PHI maintained by a Covered Component be amended, such as in instances where the Individual believes that an error has been made or information in his or her record is not correct. However, the Covered Component is not obligated to agree to the request, provided that certain processes are followed and requirements met.

    6. The Right to Request Alternative Methods of Confidential Communications of PHI. Individuals have the right to request that a Covered Component communicates with them about their PHI in a certain way or at a certain location (e.g., an Individual may request that all telephone communications be made to a certain number and all mail be sent to a specific address).

    7. The Right to File a Complaint. Individuals who believe that a Covered Component has violated their privacy rights may file a complaint with the University or with the Secretary.

  9. Business Associates

    1. In some cases, a Covered Component may require a person or entity that is not a part of the University to perform or assist in the performance of certain functions, activities or services for or on behalf of the Covered Component that requires Use of, or access to, PHI by the external person or entity. Examples include, but are not limited to, medical transcription services, third party billing companies, medical software vendors, billing or collections services, consulting companies, accreditation organizations, and medical record copying services.

    2. Prior to permitting creation, receipt, Use, maintenance, transmission of and/or access to the PHI, the Covered Component must ensure that the external person or entity has entered into a “Business Associate Agreement.” The Covered Component shall be responsible for maintenance of the appropriate documentation and verification of the business associate, vendor, contractor or subcontractor. All Business Associate Agreements must be established contractually in accordance with University contracting procedures and HIPAA Operational Guidelines and must be approved by the Office of General Counsel.

    3. In some cases, a unit of the University may function as a Business Associate of an outside HIPAA Covered Entity or another Business Associate. Such Business Associate relationships must be established contractually in accordance with University contracting procedures and HIPAA Operational Guidelines and must be approved by the Office of General Counsel.

  10. HIPAA Security Rule Compliance

    1. Administrative, Technical and Physical Safeguards

      1. Each Covered Component, Other Clinic, and Supporting Unit must ensure that appropriate administrative, technical, and physical safeguards are implemented to protect the confidentiality, integrity and availability of the PHI in its care. Safeguards shall apply regardless of form or format of data, device or storage (e.g., verbal, paper, electronic, server, portable device, etc.) and shall be consistent with the HIPAA Operational Guidelines. Safeguards must be approved by the Privacy Officer and the Security Officer prior to implementation.

    2. Risk Analysis and Risk Management Plan

      1. The HIPAA Security Rule requires the University to: (a) conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity and availability of its Electronic PHI (“Risk Analysis”); (b) develop and implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level, as well as efficiently and effectively mitigate the risks identified in the assessment process (“Risk Management Plan”); and (c) perform information system activity reviews.

      2. Each Covered Component shall coordinate with the Privacy Officer and the Security Officer to ensure the Risk Analysis and Risk Management Plan(s) are accomplished in accordance with the HIPAA Security Rule and HIPAA Operational Guidelines, including regular reviews and updates.

      3. All Workforce members must cooperate fully with all persons charged with performing the Risk Analysis and implementing and managing the Risk Management Plan.

  11. Retention Of HIPAA-Related Documents

    HIPAA requires that certain documents be retained for six (6) years from the date of creation or the date the document was last in effect. This includes, but is not limited to, the following documentation:

    1. Business Associate Agreements

    2. NPPs and Acknowledgement of NPPs

    3. Authorization Forms

    4. Requests for Restriction and related documentation

    5. Requests for Access and related documentation

    6. Requests for Amendment and related documentation

    7. Request for Accounting of Disclosures and related documentation

    8. Training materials and documentation of training completion

    9. Privacy Complaints and related documentation

    10. Versions of the HIPAA Policies and Procedures

    11. Any action, activity or designation required by the Privacy Rule

    12. Designation of the Privacy Officer and Security Officer

    13. A list of all current and past Privacy Liaison Coordinators; and

    14. Breach investigations and risk assessments

  12. Training And Awareness

    1. Covered Components, Other Clinics and Supporting Units are responsible for implementation of training and awareness programs (“Privacy and Security Awareness Training”) that meet the requirements set forth in the HIPAA Operational Guidelines. Such training and awareness programs must be approved by the Privacy Officer and the Security Officer.

    2. All Workforce members with access to PHI, or potential access to PHI, must complete Privacy and Security Awareness Training within ninety (90) days of hire and annually thereafter.

    3. Workforce members must sign the University’s HIPAA Confidentiality Agreement prior to accessing PHI. A copy of this signed Confidentiality Agreement must be maintained by the Covered Component, Other Clinic, or Supporting Unit.

  13. Reporting And Handling Violations

    1. All University employees, including but not limited to Workforce members, shall report any known or suspected Use or Disclosure of PHI made in violation of this policy and/or the HIPAA Operational Guidelines, or any known or suspected Security Incident, to the Privacy Officer and the Security Officer.

    2. The Privacy Officer and Security Officer shall investigate and respond to such reports, including making any legally required notifications in accordance with the relevant legal requirements and University policies and HIPAA Operational Guidelines.

  14. Questions and Complaints

    Questions, concerns or complaints regarding the Use and Disclosure of PHI may be submitted to the applicable Privacy Liaison Coordinator, the Privacy Officer, the Security Officer, or to the Secretary. Complaints may also be anonymously submitted via the University’s Ethics Fraud and Abuse line either via phone (844-724-5631) or via online report form.

    Contact information for the University’s Privacy Officer, Security Officer, and Covered Component Privacy Liaison Coordinators can be found here.

  15. No Retaliation

    Intimidation, retaliation and/or discrimination against any person for reporting any non-compliance with HIPAA, this policy, or the HIPAA Operational Guidelines, including but not limited to filing a complaint regarding a privacy practice, is strictly prohibited.

  16. Sanctions

    Violations of this policy, the HIPAA Operational Guidelines, unit-specific protocols and procedures, and/or federal and/or state law may result in disciplinary action and/or other corrective measures. Such investigations and determinations regarding corrective measures will be made in accordance with the University’s existing policies and procedures regarding such matters, as well as applicable federal and state law.

  17. Implementation

    This policy shall be included in the WSU Policies and Procedures Manual and shared with appropriate constituencies of the University.

    The HIPAA Privacy Officer shall have primary responsibility for publication, dissemination and implementation of this policy.

Appendix A

HIPAA Definitions

A written document or form signed by an Individual or an Individual’s Personal Representative that authorizes the Covered Entity or Business Associate to Use or Disclose PHI for a purpose not otherwise permitted under HIPAA.
Business Associate
Generally, an entity or person who performs a function involving the Use or Disclosure of PHI on behalf of a Covered Entity (such as claims processing, case management, utilization review, quality assurance, billing) or provides services for a Covered Entity that require the Disclosure of PHI (such as legal, actuarial, accounting, accreditation).
Covered Component
An area or combination of areas within a Hybrid Entity designated by the Hybrid Entity as areas that meet the definition of a Covered Entity or Business Associate. A Covered Component must comply with HIPAA.
Covered Entity
A health plan, health care clearinghouse or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Covered Functions
Those functions of a Covered Entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse.
The act of releasing, transferring, divulging, or providing access to PHI to an organization or individual that is not the entity maintaining that information.
Electronic PHI
PHI (defined below) that is transmitted by electronic media or maintained in any electronic format or media. Electronic PHI is a subset of PHI.
Health Care Operations
Activities normal to the business of providing health care; some examples include development of clinical guidelines, quality assessments, outcomes evaluations, clinical performance evaluations, business planning and development, addressing grievances, etc.
Health Information
Any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearing house; and relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present, or future Payment for the provision of health care to an Individual.
The U.S. Department of Health and Human Services.
HIPAA Privacy Rule
The Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.
HIPAA Security Rule
The Security Standards for the Protection of Electronic PHI at 45 C.F.R. Parts 160, 162, and 164, Subparts A and C.
Hybrid Entity
An organization that: (i) is a Covered Entity; (ii) performs both Covered Functions and non-Covered Functions as part of its business; and (iii) designates the components of its business that meet the definition of a Covered Entity or Business Associate as covered components to be treated as if such components were separate legal entities, for purposes of complying with HIPAA.
The person who is the subject of the PHI and includes a person who qualifies as a Personal Representative in accordance with 45 C.F.R. §164.502(g).
Individually Identifiable Health Information
A subset of Health Information that includes demographic information, and either identifies the Individual or provides a reasonable basis for believing it can be used to identify the Individual.
Other Clinics
Those University units and clinics that use and or disclose Health Information that have not been designated as Covered Components or Supporting Units. These units are required to comply with this policy, the HIPAA Operational Guidelines, and any other unit-specific policies and procedures regarding Health Information.
Any activities such as billing, collection, and related actions taken by a Covered Entity and/or its Business Associates to obtain reimbursement for health care services rendered.
Personal Representative
As specifically determined by state law, a person who has the authority to act on behalf of an Individual in making decisions related to the Individual’s health care. Generally, a parent of a minor; a person empowered under a Power of Attorney (for health care); a legal guardian; or an executor or administrator of an Individual’s estate will be Personal Representatives. The HIPAA Privacy Rule permits a Personal Representative to stand in the place of the Individual and exercise any rights the Individual may otherwise exercise pursuant to HIPAA.
Protected Health Information (PHI)
Individually Identifiable Health Information created, received, or maintained by a Covered Entity, which is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium. Protected Health Information does not include education records or treatment records covered by the Family Educational Rights and Privacy Act (20 U.S.C. 1232g), employment records held by the University in its role as an employer, or records regarding a person who has been deceased for more than 50 years.
The Secretary of HHS or his/her designee.
Security Incident
The attempted or successful unauthorized access, Use, Disclosure, modification, or destruction of information or interference with system operations in an information system.
Supporting Unit
A Covered Component that performs support functions on behalf of the Covered Components that meet the definition of a Covered Entity or a Business Associate of a non-University Covered Entity.
The provision, coordination, or management of health care and related services that health care providers render to an Individual. Treatment includes management of health care with a third party, consultation between providers relating to an Individual, or the referral of an Individual for care or services to another provider.
The sharing, employment, application, use, examination, or analysis of PHI within an entity that maintains such information.
Employees (including student employees), volunteers, trainees, graduate students, and other persons, including contractors and agents, whose conduct, in the performance of work for a Covered Component or Other Clinic is under the direct control of such Covered Component or Other Clinic, whether or not they are paid by the Covered Component or Other Clinic.