Privacy of Health Information (HIPAA)
Policy number: 1.11
Policy section: Institutional Affairs
Revised Date: December 16, 2019
Definitions of capitalized terms used herein are set forth in Appendix A. Other terms not defined in this policy shall have the meanings defined in the HIPAA Regulations.
The purpose of this policy is to address the University’s compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
3. Policy Statement
It is the policy of the University to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act in Public Law 111-5 (the “HITECH Act”), and the regulations promulgated thereto (collectively, the “HIPAA Regulations”), which include, as amended from time to time, (i) the privacy standards, requirements and specifications promulgated by the Secretary at 45 C.F.R. Parts 160 and 164 subparts A and E (the “Privacy Rule”), (ii) the security standards, requirements and specifications promulgated by the Secretary at 45 C.F.R. Parts 160 and 164 subparts A and C (the “Security Rule”), and (iii) the breach notification standards, requirements and specifications enacted by Subtitle D of the HITECH Act and promulgated by the Secretary at 45 C.F.R. Part 164 subpart D (the “Breach Notification Rule”). This policy further addresses the University’s designation as a hybrid entity under the HIPAA Privacy Rule and Breach Notification Rule.
While HIPAA regulates the use and disclosure of “Protected Health Information”, HIPAA specifically excludes records that are covered under the Family Educational Rights and Privacy Act of 1974 (“FERPA”) and any employment records maintained by the University in its capacity as an employer. This policy does not apply to records covered under FERPA or any employment records maintained by the University.
4. Hybrid Entity Designation
- HIPAA regulations apply to organizations that qualify as “covered entities.” Covered entities include (1) health plans; (2) health care clearinghouses; and (3) health care providers who conduct certain electronic transactions, such as transmission of health care claims, health care payments, and enrollment in a health plan. Although the University does not primarily engage in any of these activities, some units within the University do perform functions that meet the definition of a covered entity. Pursuant to the Privacy Rule, the University has elected to be designated as a hybrid entity under HIPAA, as provided by 45 C.F.R. § 164.103 and 45 C.F.R. § 164.105.
- A “hybrid entity” is defined as a single legal entity that is a covered entity, performs business activities that include both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. The University has designated the following units as health care components based upon one or more of the following criteria: (1) a component that would meet the definition of a covered entity if it were a separate legal entity; (2) a component that performs covered functions; or (3) a component that performs activities that would make it a business associate if it were a separate entity. Each designated health care component will comply with the HIPAA requirements, as applicable to the health care component and its covered functions. The designated health care components that provide business associate services will follow the HIPAA Regulations applicable to the designated health care component for which it is providing business associate services.
5. Units of the University Covered by HIPAA Regulations
The following units of the University have been designated as health care components, collectively known as the “Covered Components,” and are required to comply with HIPAA requirements:
- The Dr. Bob Smith Health Center at Southern Methodist University – health care provider.
- SMU Pharmacy – health care provider.
- SMU Center for Family Counseling – health care provider, applicable to the extent the Center conducts transactions covered by HIPAA.
- Office of Human Resources – maintains employee self-insured health benefit plans.
- Office of Legal Affairs – when providing services to the University which, if external to the University, would make it a business associate for HIPAA purposes.
- Office of Compliance and Internal Audit – when providing services to the University which, if external to the University, would make it a business associate for HIPAA purposes.
- Office of Information Technology –when providing services to the University which, if external to the University, would make it a business associate for HIPAA purposes.
- Office of Risk Management – when providing services to the University which, if external to the University, would make it a business associate for HIPAA purposes.
6. Privacy Officer
- The Covered Components have designated a Privacy Officer to oversee the formulation and implementation of these Privacy Policies. The Privacy Officer’s duties include coordinating activities relating to protecting privacy and monitoring the Covered Components’ HIPAA privacy program to comply with applicable laws, rules, and regulations. These activities include, but are not limited to, development, training, and enforcement relating to privacy policies and procedures. The Privacy Officer also serves as the chief liaison for dealing with privacy matters that arise in relationships with Individuals, Business Associates, the public, and privacy enforcement authorities.
- The Privacy Officer will be the point of contact for all concerns and complaints regarding privacy and confidentiality.
- Workforce are required to cooperate with the Privacy Officer’s efforts relating to protection of PHI and implementation of these policies.
- The Covered Components have designated the following individual(s) to serve as Privacy Officer(s):
- Executive Director of Health Services
- Senior Associate Director of Human Resources
7. Permissible Use and Disclosure of PHI
It is the Covered Components’ policy to only use or disclose PHI in a manner permitted by the HIPAA Privacy Rule or as authorized by the applicable Individual. Covered Components will not disclose PHI to any non-Covered Components, if such disclosure would be prohibited to an entity, which is separate from the University under the Privacy Rule and this policy. If a use or disclosure is not permitted by the Privacy Rule, the Covered Components must obtain an individual written authorization in accordance with requirements of the Privacy Rule. The following are different ways the Covered Components may use and disclose PHI without an Individual’s authorization:
- For Treatment, Payment and Health Care Operations. Further details regarding these uses are set forth in the Covered Components’ Notice(s) of Privacy Practices.
- To an Individual Participant or for Patient Communication.
- Disclosures to the Secretary of the U.S. Department of Health and Human Services. The SMU Office of General Counsel and Legal Affairs shall be consulted before any PHI is released pursuant to such requests.
- For Certain Public Health Activities. PHI may be disclosed to a public health authority that is authorized by law to collect or receive the information.
- Abuse, Neglect, or Domestic Violence. PHI regarding victims of abuse, neglect, or domestic violence may be disclosed to a governmental authority authorized under state law to receive a report of abuse, neglect, or domestic violence. The SMU Office of Legal Affairs shall be consulted before any PHI is released pursuant to such requests.
- Health Oversight. PHI may be disclosed to a health oversight agency so that government agencies can monitor or oversee the health care system and government benefit programs and be sure that certain health care entities are following regulatory programs or civil rights laws. The SMU Office of Legal Affairs shall be consulted before any PHI is released pursuant to such requests.
- Judicial and Administrative Proceedings. PHI may be disclosed in the course of a judicial and administrative proceeding including all court orders, subpoenas, discovery requests or other lawful process. Before disclosing PHI, the request must be reviewed and answered according to requirements in the HIPAA Privacy Rule. The SMU Office of Legal Affairs shall be consulted before any PHI is released pursuant to such requests.
- For Military and Intelligence Needs. PHI may be disclosed in response to requests relating to the U.S. Armed Forces, foreign military, or for purposes of national security or intelligence activities. The SMU Office of Legal Affairs shall be consulted before any PHI is released pursuant to such requests.
- In Situations Involving Threats to Health or Safety. In rare circumstances, Workforce may become aware of a situation where an Individual is a threat to the health or safety of another person or the public. If possible, such situations should be immediately reported to the Office of Legal Affairs, who will determine the appropriate course of action to take.
- To Law Enforcement. In rare circumstances, PHI may be disclosed if federal or state law requires it for law enforcement purposes. The SMU Office of Legal Affairs shall be consulted before any PHI is released pursuant to such requests.
- Other Uses and Disclosures Permitted in the Privacy Rule. These uses and disclosures include disclosures to a coroner, medical examiner, or funeral director about a deceased person; to an organ procurement organization in limited circumstances; for workers’ compensation or other similar benefit programs; to the University’s benefit plan sponsor; to notify, or assist in the notification of, a family member, a personal representative of the Individual, or another person responsible for the care of the Individual of the individual’s location, general condition or death.
8. Electronic & Fax Transmissions
- Fax Transmissions: Fax transmission of PHI is discouraged and should be used minimally. All faxes containing PHI should include the following language:
- Email Transmissions: Email transmission of PHI is discouraged and should be used minimally. All email correspondence containing PHI should include the following:
The documents accompanying this fax contain confidential information that is legally privileged. The information is intended only for the use of the recipient named above. If you have received this fax in error, please immediately notify us by telephone and destroy the documents. You are hereby notified that any disclosure, copying, distribution or the taking any action in reliance on the contents of this fax information is strictly prohibited.
This information is intended for the person(s) or entity to which it is addressed and may contain confidential and/or privileged information. Any review, retransmission, dissemination, or any action in reliance upon this information by persons or entities other than the intended recipient is strictly prohibited. Please contact me if you receive this email in error.
When applicable, the Covered Components will obtain necessary authorization for uses or disclosures that constitute marketing, as that term is defined by the Privacy Rule. In accordance with the Privacy Rule, authorization is not required for face-to-face communications made by the Covered Components or for communications that concern a promotional gift of nominal value provided by the Covered Components (e.g., pens, key chains, etc.).
10. Sale of PHI
When applicable, the Covered Components will obtain an Individual’s authorization for any disclosure of PHI that constitutes a Sale of PHI, as defined by the Privacy Rule.
11. Health Information Privacy Rights
- Access to Records. With some exceptions, Individuals have the right to review and copy their PHI subject to a fee for the cost of copying, mailing, or other supplies associated with this request. The Covered Components will consult the requirements outlined in 45 C.F.R. § 164.524 when processing a request for access to records.
- Requests for Accountings of Disclosures. Individuals have the right to obtain a listing of those to whom the Covered Components disclosed their PHI. There are certain disclosures that are not included in the listing, for example, disclosures made to the Individual about his or her own PHI. The Covered Components will consult the requirements outlined in Privacy Rule at 45 C.F.R. § 164.528 when processing a request for accountings of disclosures.
- Requests for Amendments. Individuals have the right to request an amendment of their PHI when it is incorrect or incomplete. Under some circumstances, the Covered Components may deny requests to amend a record(s) and this denial will be provided in writing. The Covered Components will consult the requirements outlined in 45 C.F.R. 164.526 when processing a request for amendment.
- Requests for Privacy Restrictions. Individuals have the right to request restrictions on the use or disclosure of their PHI. The Covered Components will use best efforts to comply with all approved requests and will provide a written explanation for denied requests or when a previously agreed to restriction is revoked. The Covered Components will consult the requirements outlined in 45 C.F.R. § 164.522 when processing a request for privacy restrictions.
- Requests for Confidential or Alternative Communications. Individuals have the right to specify that communication with them be conducted in a particular manner or be directed to a certain location. The Covered Components will attempt to accommodate all reasonable requests to have confidential communications. The Covered Components will consult the requirements outlined in 45 C.F.R. § 164.522 when processing a request for confidential communications.
12. Notice of Privacy Practices
To the extent that a Covered Component functions as a Covered Entity, the Covered Component will, in compliance with 45 C.F.R. § 164.520, provide a Notice of Privacy Practices to Individuals and to requesting persons regarding how the applicable Covered Components use and disclose PHI, the Individuals’ rights, and the applicable Covered Components’ legal duties regarding such information. The Notice of Privacy Practices will be prepared and distributed in compliance with Privacy Rule.
13. Minimum Necessary Uses and Disclosures of and Requests for PHI
- The Covered Components will strive to use the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request. To the extent practicable, the Covered Components will limit any use, disclosure, or request of PHI to the Limited Data Set, as set out in the HIPAA Privacy Rule.
- The minimum necessary requirements do not apply to the use and disclosure of PHI: (1) for treatment purposes; (2) for information requested by the Individual for his or her own PHI; (3) for information requested pursuant to a valid authorization by the Individual or his or her personal representative; (4) for required disclosures to the Secretary for monitoring or enforcement purposes; (5) for instances required by law, including uses and disclosures that are required for HIPAA compliance.
The Covered Components will implement appropriate administrative, technical, and physical safeguards to protect against any intentional or unintentional use or disclosure of PHI in violation of the Covered Components’ policies and procedures or applicable law. Workforce shall take measures reasonably designed to physically safeguard the privacy of PHI.
15. Personal Representatives and Verification of Identity
The Covered Components recognize that, with respect to the HIPAA Privacy Rule and PHI, a personal representative of an Individual is to be treated as if that personal representative were the Individual. The Covered Components will verify the identity and authority of a person or entity that requests access to PHI and who will be recognized as a personal representative.
16. Refraining from Intimidating or Retaliatory Acts
The Covered Components shall refrain from engaging in intimidation, threats, coercion, discrimination, or any other retaliatory acts in regards to PHI under the situations proscribed by the HIPAA Privacy Rule.
17. Waiver of Rights
The Covered Components will not make eligibility for benefits or treatment, payment, or enrollment in a health plan conditional upon the waiver of an Individual’s rights. The University’s health plan or Plan Sponsor may require certain authorizations for PHI if that information is used for underwriting or risk rating purposes, only as permitted by law.
It is the policy of the Covered Components to receive, respond to, and resolve complaints regarding allegations of improper use or disclosure of PHI by Individuals, other Covered Entities, Business Associates, or Workforce. Complaints shall be filed with the Privacy Officer.
19. Business Associates
To the extent determined necessary by the Privacy Officer and/or the Office of Legal Affairs, the University will enter into Business Associate Agreements, or similar agreements, with those vendors and contractors who assist in carrying out the operations of the Covered Components and qualify as a business associate, as defined in 45 C.F.R. § 160.103. The Business Associate Agreements will address the obligations and protections of HIPAA when the Business Associates are working with PHI on behalf of the Covered Components.
To the extent known to the Covered Components, the Covered Components are committed to complying with HIPAA and other applicable legal requirements regarding the mitigation of harmful effects of the improper use or disclosure of PHI.
21. Workforce Training
- The Covered Components will train Workforce who access, use and disclose PHI regarding the Covered Components’ policies and procedures for the safeguarding of PHI, as necessary and appropriate for each such workforce member to carry out his or her job functions under HIPAA.
- To the extent applicable, the Covered Components and other applicable University departments will also train Workforce as necessary for compliance with the Texas Medical Records Privacy Act, TEX. HEALTH & SAFETY CODE, Chapter 181.
- Documentation of training materials and attendance at the training for Workforce shall be maintained
22. Reporting Violations
All Workforce have the responsibility to immediately report violations or potential violations of the HIPAA Privacy Rule and this policy. Workforce can report violations to their supervisors, the Privacy Officer, or to an employee that the Privacy Officer may designate to receive such reports.
- The Covered Components and University expect all Workforce handling PHI to adhere to the University’s and Covered Components’ policies and procedures regarding the safeguarding of PHI and will sanction workforce members who violate these policies and procedures. Workforce members found to be in violation are subject to discipline in accordance with University Policies 2.1, Standards of Professional Ethics for Faculty and Academic Freedom, 2.17, Procedural Standards for Faculty Sanctions and Dismissals, and 7.23, Personal Conduct, as appropriate. Disciplinary measures taken will be commensurate with the violation and the circumstances of each case and may include reprimand, suspension from employment, or termination of employment.
- To the extent applicable, students found to be in violation of this policy are subject to discipline in accordance with the SMU Policies for Community Life and/or the SMU Code of Student Conduct.
24. Records Management
The Covered Component will retain all required HIPAA documentation for at least six (6) years, maintain appropriate storage measures to protect documentation containing PHI or EPHI, and establish appropriate and secure procedures for destruction of records.
25. Disclosures to the Secretary
The Covered Components will provide the Secretary of the U.S. Department of Health and Human Services with copies and/or access to records in such time and manner required by the HIPAA Regulations and as requested by the Secretary. The University and Covered Components will cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of HIPAA policies, procedures, or practices.
26. Breaches of Unsecured PHI: General
Covered Components are further required to comply with federal notification regulations in the event of a Breach of Unsecured Protected Health Information as required under the HIPAA Breach Notification Rule. These procedures set forth requirements that Workforce must follow when identifying any Breach of Unsecured PHI and when providing the required notifications of the Breach.
27. Breaches of Unsecured PHI: Discovery
Upon Discovery of a known or suspected Breach of Unsecured PHI, the Covered Components must investigate the incident and conduct a risk assessment to determine if a Breach occurred. Workforce shall immediately report Discovered or suspected Breaches to the Privacy Officer. Unless directed by the Privacy Officer, Workforce shall not independently investigate a suspected Breach or apply a risk assessment analysis to determine if notification is required.
28. Breaches of Unsecured PHI: Impermissible Use or Disclosure & Risk Assessment
An impermissible use or disclosure of PHI is presumed to be a Breach unless it can be demonstrated that there is a low probability that the PHI has been compromised. When assessing the probability that the PHI has been compromised based on a risk assessment, at least the following factors must be considered:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. To assess this factor, consider the type of PHI involved in the impermissible use or disclosure, such as whether the disclosure involved information that is of a more sensitive nature. Considering the type of PHI involved in the impermissible use or disclosure will help determine the probability that the PHI could be used by an unauthorized recipient in a manner adverse to the Individual or otherwise used to further the unauthorized recipient’s own interests.
- The unauthorized person who used the PHI or to whom the disclosure was made. To assess this factor, consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information.
- For example, if PHI is impermissibly disclosed to another entity regulated by HIPAA or other federal or state privacy laws, there may be a lower probability that the PHI has been compromised because the recipient of the information must protect the privacy and security of the information in a similar manner as the Covered Components.
- Whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.
- The extent to which the risk of PHI has been mitigated.
Once these factors have been addressed, the Privacy Officer must evaluate the overall probability that the PHI has been compromised by considering all the factors in combination. If an evaluation of the factors fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required. The Privacy Officer shall notify and consult with the Office of General Counsel and Legal Affairs in the event of a potential Breach of Unsecured PHI.
29. Breaches of Unsecured PHI: Documentation of Risk Assessment
The Privacy Officer shall document the risk assessment for all incidents involving an alleged Breach of Unsecured PHI and the basis for concluding that the impermissible acquisition, Access, use or disclosure of Unsecured PHI is, or is not, a Breach or does not require notification because there is a low probability that the PHI has been compromised.
30. Breaches of Unsecured PHI: Notification
In the event that it is determined that a Breach has occurred, the Privacy Officer is responsible for addressing all required Breach notifications and shall consult management and legal counsel, as necessary or appropriate. As promptly as possible, the Privacy Officer will determine which notification requirements must be met in accordance with the Breach Notification Rule. Notification requirements include notice to the affected individual(s), the Secretary, and, potentially, the media.
31. Breaches of Unsecured PHI: Delay of Notice
If a Law Enforcement Official determines that a notification, notice, or posting under the Breach Notification Rule would impede a criminal investigation or cause damage to national security, the Plans will delay such notification, notice or posting. Delay shall occur in accordance with the Breach Notification Rule.
32. Breaches of Unsecured PHI: Training
Workforce shall be trained regarding these Breach Notification Policies and Procedures, as necessary and appropriate for the Workforce to carry out their job functions.
33. Breaches of Unsecured PHI: Document Retention
The Privacy Officer will maintain for a period of at least six (6) years the following documentation relating to the incident:
- Documentation regarding the risk assessment or the application of any exceptions to the definition of Breach;
- A record or log for all Breaches of Unsecured PHI regardless of the number of Individuals affected;
- Evidence that all required notifications were made; and
- Documentation regarding the scope of any breach notification training, dates upon which it has been given, and the attendees of the training.
Appendix A: Definitions
“Access” means the ability or the means necessary to read, write, modify, or communicate data / information or otherwise use any system resource.
“Breach” means the unauthorized acquisition, access, or use or disclosure of Unsecured PHI in violation of the HIPAA Privacy Rule that compromises the security or privacy of such information. Breach does not include: (a) Disclosure of Secured PHI; (b) Situations where a Covered Entity or Business Associate has a good faith belief that the unauthorized person to whom the PHI was disclosed would not reasonably have been able to retain the PHI; (c) the unintentional acquisition, access or use of PHI by a Workforce member or person acting under the authority of a Covered Entity or Business Associate, if the acquisition, access or use was made in good faith, within the scope of the employment or professional relationship, and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; (d) the inadvertent disclosure of PHI from a person who is authorized to access PHI at a Covered Entity or Business Associate to another person authorized to access PHI at the same Covered Entity or Business Associate and the information received is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule.
“Business Associate” means a person or entity, with respect to a Covered Entity, who on behalf of the Covered Entity creates, receives, maintains, or transmits PHI for a function or activity regulated by the HIPAA Privacy Rule. These services include, but are not limited to, claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; billing; and benefit managing. These services also include the provision of legal services; actuarial services; accounting services; consulting services; data aggregation services; management services; administration services; accreditation services; and financial services to or for a Covered Entity where the provision of the service involves the disclosure of PHI from the Covered Entity or from another Business Associate of the Covered Entity.
“Covered Entity” means (1) health plans; (2) health care clearinghouses; and (3) health care providers who conduct certain electronic transactions, such as transmission of health care claims, health care payments, and enrollment in a health plan.
“Discovery” of a Breach occurs as of the first day on which such Breach is known to the Covered Entity or Business Associate, or by exercising reasonable diligence would have been known. The Covered Components are deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a Workforce member or agent of the Covered Components.
“Electronic Protected Health Information” or “EPHI” means electronic protected health information, as defined in the Security Rule that is created, received, maintained or transmitted by or on behalf of the Covered Entity.
“Individual” means the person who is the subject of the Protected Health Information and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
“Protected Health Information” or “PHI” is information about an Individual’s health care that identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. This includes information related to the past, present, or future physical or mental health or condition of an Individual; information related to the provision of health care to an Individual; and information related to the past, present, or future Payment for the provision of health care to an Individual. Protected Health Information can be in any form or medium including oral, written and electronic. The following are examples of PHI (if it is, or can be, connected with an Individual and his or her health care): name; address; social security number; birth date; telephone number; gender and age; health plan elections; subscriber identification number; policy holder number; claim number; claims dollars; medical record information; medical history; diagnosis codes; procedure codes; health status.
“Secure” or “Secured” means to render PHI unusable, unreadable, or indecipherable to unauthorized persons through a technology or methodology specified by the Secretary on an annual basis.
“Unauthorized” means the impermissible use or disclosure of PHI under the HIPAA Privacy Rule.
“Unsecured Protected Health Information” or “Unsecured PHI” is PHI that is not secured through the use of a technology or methodology specified by the Secretary. PHI includes, but is not limited to, EPHI.
“Workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.
Revised: December 16, 2019
Adopted: September 23, 2013