Administration and Oversight for Protection of Individual Health Information

The University of Minnesota is committed to protecting the privacy of individual health information in compliance with all applicable laws and regulations. To achieve this end, the University has adopted policies and procedures to protect the privacy, and provide for the security of individual health information. The University has provided for designation of a Privacy and Security Officer, Privacy Coordinators and Security contacts to carry out such policies and procedures in an effort to assure the privacy and security of individual health information at the University.

The University of Minnesota is designated as a hybrid entity and has designated the health care components of the University that are covered by HIPAA. These covered health care components include units that provide health care ("Provider Components") and the Health Plan of the University ("Health Plan Component").

Other units of the University may from time to time have access to protected health information ("PHI") to perform business or professional services requiring access to PHI on behalf of the Provider and Health Plan components. These service units will not use or disclose the PHI created or received from or on behalf of the health care components in an impermissible manner and will appropriately safeguard the information. Those in service units who access PHI will complete appropriate HIPAA training prior to accessing the PHI and will have access only to the information they need to perform the service. Service units will provide information about their use or disclosure of PHI to the health care components and the University's Privacy and Security Officer as necessary for the health care components to comply with HIPAA.

The University will establish appropriate safeguards to ensure that health care components do not inappropriately disclose PHI to another component of the University and that health care component workforce members use and disclose PHI received from the health care component only as permitted or required by state and federal law.

The University is committed to providing ongoing training & education to members of its health care components' workforce, researchers at the University and University students regarding policies, procedures and legal requirements related to privacy and security of PHI (see Administrative Procedure: Providing Training and Education on the Privacy and Security of Health Information).

The University will cooperate with the Secretary of the Department of Health and Human Services ("Secretary") as required for complaint investigations and compliance reviews. The University will respond to questions and complaints regarding privacy and security of PHI at the University and will resolve the complaints as appropriate.

The University will not sanction and will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against persons who file complaints with the Secretary, persons who testify, assist or participate in an investigation, compliance review, proceeding or hearing or a person opposing any act or practice that is unlawful provided that the person had a good faith belief that the practice complained about is unlawful, the manner of opposition is reasonable and does not involve an unlawful disclosure of PHI.

• To foster an environment at the University of Minnesota that is sensitive to the privacy and security of individual health information.
• To assure compliance with rules regarding individuals' rights, including access to PHI, requests for amendments to PHI, receipt of an accounting of disclosures, requests for restrictions and receipt of Notice of Privacy Practices.
• To protect the privacy and provide for the security of individual health information in accordance with state and federal laws.
• To protect the University against damaging legal consequences.
• To assure the University has appropriate administrative and oversight mechanisms to facilitate compliance with all applicable laws and policies.

• Providing Education and Training on Privacy of Health Information

There are no forms for this policy.

Subject	Contact	Phone	Fax/Email
Primary Contact(s)	Ross Janssen	612-626-5844	janss006@umn.edu
Policy	Privacy Officer	612-624-7447	privacy@umn.edu
Procedural Questions	Privacy Officer	612-624-7447	privacy@umn.edu
Complaints	Privacy Officer	612-624-7447	privacy@umn.edu
Training and Education Questions	Privacy Officer	612-624-7447	privacy@umn.edu

HIPAA:

Health Insurance Portability and Accountability Act of 1996, a federal law related to the privacy of health information.

PHI:

Protected Health Information, individual health information covered by HIPAA.

Covered Entity:

A health plan, health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a covered transaction.

Health Care Component:

Health Care Component: unit(s) of the University that provide health care or are part of the health plan and are designated by the University as health care components covered under HIPAA. These covered health care components include units that provide health care ("Provider Components") and, the Health Plan of the University.

Health Plan Component:

Designated health care component of the University that performs covered functions in the course of administering a group health plan, as defined in 45 C.F.R. §160.103, sponsored by the University.

Hybrid Entity:

Single legal entity that is a covered entity, performs business functions that are both covered and non-covered, and designates health care components.

Individual:

The person who is the subject of PHI.

Individual Health Information:

Protected health information covered by HIPAA and health records protected under Minnesota state law.

Privacy Coordinator:

Person designated by each health care component and charged with carrying out the HIPAA compliance responsibilities for a health care component.

Privacy Officer:

Person and associated office designated by the University to carry out and coordinate activities related to privacy and security of health information as required by HIPAA.

Protected Health Information ("PHI"):

Health information transmitted or maintained in any form or medium that:

1. Identifies or could be used to identify an individual;
2. Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
3. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

The following records are exempted from the definition of PHI:

1. Student records maintained by an educational institution;
2. Treatment records about a post-secondary students meeting the requirements of 20 U.S.C. §1232(a)(4)(B)(iv); and
3. Employment records held by a covered entity in its role as employer.

Provider Component:

Designated health care component of the University that performs covered functions in the course of providing health care to individuals at the University.

Secretary:

Secretary will mean the Secretary of the Department of Health and Human Services or designee.

Security Contact:

Person designated by each health care component to serve as their component's primary liaisons for security related communications and incident response.

Security Officer:

Person and associated office designated by the University to develop and implement policies and procedures and to carry out and coordinate activities related to privacy and security of health information as required by HIPAA.

Trainee:

Person involved in an educational program at the University that provides for the development of additional skills and the opportunity to learn new techniques and acquire experience in the given professional field or in the conduct of research.

Volunteer:

Individual who performs uncompensated services for the University under the direction and control of a University supervisor.

Workforce:

All employees, volunteers, trainees and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University.

Persons with Access Rights and Responsibilities

Certain members of the University community require access to individual health information in the course of carrying out their job role, conducting research or participating in educational programs. Persons with access have a responsibility to understand their obligation to protect the privacy of individual health information that has been entrusted to them and are responsible for complying with all relevant University of Minnesota policies and procedures, as well as all current state and federal laws.

Persons with access are responsible for the following:

• Comply with all University policies and procedures and state and federal laws related to privacy of individual health information.
• Complete all required training on policies, procedures and state and federal laws related to privacy and security of individual health information.
• Use or disclose individual health information only as permitted or required by the University or health care component policies and procedures or state and federal law.
• Workforce members who perform duties for both a covered health care component of the University and non-covered component will not use or disclose PHI created or received in the course of work for the health care component in a prohibited manner.
• Consequences of Violations: Alleged policy violations will be referred to the appropriate University investigative or disciplinary units. Depending on the nature and severity of the offense, policy violations may result in loss of privileges, University disciplinary action up to and including termination of student and/or employee status and referral for criminal prosecution.

University Rights and Responsibilities

The University is responsible for taking measures to assure that individual health information at the University is protected in accordance with all applicable state and federal laws. When the University becomes aware of prohibited uses or disclosures of individual health information, either through routine administration activities or from a complaint, it is the University's responsibility to investigate as needed and to take necessary actions to end and/or prevent the violation.

Individual units within the University hybrid entity may define additional conditions and procedures related to the privacy and security of individual health information. Such additional conditions and procedures must be consistent with this overall policy but may provide additional detail, guideline, and/or restrictions. The unit must document and retain records of such additional conditions and procedures.

Roles and Responsibilities for specific University entities and individuals are defined in greater detail below.

Senior Vice President for Health Sciences

• Designate and document the designation of the components that are health care components of the University of Minnesota hybrid entity.
• Designate and document the designation of a Privacy and Security Officer to be responsible for the development and implementation of the policies and procedures of the University.
• Require designation of a Privacy Coordinator and Security Contact for each health care component.
• Designate and document the designation of a contact person or office to be responsible for receiving complaints related to privacy of PHI and who is able to provide further information about matters covered by the Notice of Privacy Practices.
• Provide a procedure for individuals to make complaints concerning policies and procedures related to privacy and security of PHI, or the University's compliance with such policies and procedures.
• Have in place the appropriate administrative, technical and physical safeguards to protect the privacy and provide for the security of PHI.
• Ensure compliance of the University's health care components, including but not limited to ensuring compliance with required policies and procedures, enforcement and implementing the appropriate administrative, technical and physical safeguards to protect the privacy of PHI.
• Assure that all health care components reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of applicable laws and to limit incidental uses and disclosures.
• Assure that all health care components take steps to mitigate, to the extent practicable, any harmful effect that is known to the health care component of any unlawful use or disclosure of PHI or any use or disclosure in violation of the policies and procedures of the University or the health care component.
• Assure retention of all required documentation for a period of no less than 6 years from the date of creation or the date when it was last in effect, whichever is later.
• Assure that appropriate sanctions are imposed against members of the University's workforce and University students who fail to comply with the University and health care component privacy and security policies and procedures and state and federal law.

Privacy Officer

• Maintain ongoing communication with all Privacy Coordinators.
• Implement training programs for covered workforce members, researchers and students in cooperation with the Privacy Coordinators.
• Maintain ongoing communication with the IRB regarding research use of PHI.
• Respond to complaints regarding University policies, procedures and practices related to privacy and security of health information.
• Document all complaints received related to the privacy and security of PHI and the disposition of any such complaints.
• Respond to requests for further information regarding practices related to privacy and security of protected health information.
• Respond to or refer to the appropriate health care component requests by individuals for access and amendment, an accounting of disclosures or requested restrictions to the use and disclosure of the individual's PHI.
• Respond to requests by the Secretary and cooperate as required for compliance with 45 C.F.R. 160 Subpart C.
• Develop policies and procedures related to privacy of individual health information that are designed to comply with the applicable laws and ensure that the University's designated health care components do the same.
• Change the University's policies and procedures related to the privacy of individual health information as required to comply with changes to applicable laws, and document any changes prior to the effective date of such change.

Security Officer

• Maintain ongoing communication with all Privacy Coordinators and Security Contacts.
• Develop and implement ongoing security awareness and training programs for covered workforce members, researchers, and students.
• Maintain ongoing communications with the IRB regarding security in the use of PHI for research purposes.
• Develop policies and procedures related to the security of individual health information that are designed to comply with the applicable laws and ensure that the University's designated health care components do the same.
• Change the University's policies and procedures related to the privacy and security of individual health information as required to comply with changes to applicable laws, and document any changes prior to the effective date of such change.

Health Care Components (Provider and Health Plan Components)

• Name a Privacy Coordinator for the health care component to perform the role of liaison with the Privacy Officer and to oversee activities related to privacy of individual health information at the component level.
• Designate a Security Contact for the Health Care Component to perform the role of liaison with the Privacy & Security Office
• Assure that Notices of Privacy Practices are provided, as required by 45 C.F.R. §164.520.
• Implement component policies and procedures related to privacy and security of individual health information designed to comply with state and federal law, and in accordance with applicable University policies and procedures.
• Work with the Privacy and Security Officer to change policies and procedures as required to comply with changes to state and federal law, and document any changes prior to the effective date of such change.
• Have in place the appropriate administrative, technical and physical safeguards to protect the privacy and provide for the security of PHI maintained by the health care component.
• Ensure that component workforce members receive and appropriately display University photo identification as required by the Privacy and Security Officer.
• Identify workforce members who require access to PHI for the performance of their job role. Categorize the workforce roles based on the level of access minimally necessary to perform the job function and restrict access accordingly.
• Identify members of the health care component workforce who must complete required HIPAA related training as appropriate for the workforce members' job role, and take steps to ensure that such training is completed within the required time frames.
• Retain all required documentation related to privacy and security of PHI for a period of no less than 6 years from the date of creation or the date when it was last in effect, whichever is later.
• Impose appropriate corrective action and/or sanctions against members of the health care component's workforce who fail to comply with the University and health care component privacy and security policies and procedures and state and federal law.

There are no appendices for this policy.

There is no FAQ related to this policy.

Related Policies:

• Board of Regents Policy: Protection of Individual Health Information
• Administrative Policy: Use and Disclosure of Individual Health Information for Research Purposes
• Administrative Policy: Protection of Individual Health Information by University Health Care Components
• Administrative Policy: Reporting and Notifying Individuals of Security Breaches

State of Minnesota:

• Minnesota Statute on Access to Health Records

Federal:

• Office of Civil Rights

Amended:

April 2005 - Policy language updated so it is explicit that this covers the privacy and security of Private Health Information. Added definitions for Security Contact and Officer to definitions, and added the responsibilities of the Security Officer to responsibilities. Procedure title updated for procedure 2.10.1.1 to reflect privacy and security scope. The reason for the change is to incorporate the designation of Security Officer in the Oversight policy and to incorporate other language to address HIPAA Security Rule requirements.

Effective:

May 2006