The University is committed to handling Protected Health Information (PHI) in compliance with all applicable laws and regulations, including but not limited to HIPAA, HITECH, and Minnesota law (collectively “Health Information Privacy Laws”). This policy applies to all University employees, trainees, students and volunteers who are affiliated with a unit of the University that:
- is designated as a Health Care Component of the University, or
- has entered into a Business Associate Agreement or sub-contractor Business Associate Agreement, or otherwise handles PHI on behalf of an organization other than the University.
This policy addresses administrative requirements, breaches, Business Associates, fundraising, guidelines, individual rights, information security, privacy assessments, research, sanctions for violations of this or other University policies and procedures concerning PHI, and training. Units at the University that handle or access PHI may implement additional policies, procedures and guidelines concerning PHI, provided they do not conflict with this policy.
To comply with the requirements of the Health Information Privacy Laws and to secure PHI appropriately, the University must:
- maintain policies and procedures designed to comply with Health Information Privacy Laws;
- designate a Chief Health Information Compliance Officer/HIPAA Privacy Officer to develop and implement such policies and procedures;
- establish and maintain appropriate administrative, technical and physical safeguards to protect the privacy of PHI, which safeguards will be established and maintained by the Chief Health Information Compliance Officer/HIPAA Privacy Officer in collaboration with the Chief Information Security Officer/HIPAA Security Officer and others;
- maintain documentation of its status under HIPAA as a "Hybrid Entity," which documentation will be maintained on the University Health Information Privacy and Compliance Office website; and
- maintain all documentation required by Health Information Privacy Laws for not less than 6 years.
Members of the University community who know of or suspect any acquisition, access, use or disclosure of PHI not authorized by the Individual whose PHI is involved, or not otherwise specifically authorized by law (a “Breach”) must report the Breach to the Health Information Privacy and Compliance Office (HIPCO). Reports of Breaches or suspected Breaches can be made anonymously, by phone or by email as outlined on the HIPCO website. Breaches of PHI in any form, whether electronic, paper, verbal or other media, must be reported.
HIPCO will coordinate an investigation of any reported Breach and assess whether notification regarding the Breach must be provided to the Individual whose PHI has been breached, the federal department of Health and Human Services, and the media, all in accordance with the requirements of Health Information Privacy Laws.
Additionally, all suspected breaches of University data must be reported in accordance with Administrative Policy: Data Security Breach.
Units must enter into a Business Associate Agreement with any vendor that: (i) provides data transmission services to the University with respect to PHI and requires access on a routine basis to such PHI; or (ii) will create, receive, maintain or transmit PHI on behalf of the University. The University form of Business Associate Agreement (DOCX) is maintained in the Contracts Library. It must be signed on behalf of the University by a representative of the unit retaining the vendor, as well as by the University’s Chief Health Information Compliance Officer. If a unit does not use the form of Business Associate Agreement maintained in the Contracts Library, the alternate form of Business Associate Agreement must be reviewed and approved by HIPCO prior to execution of the alternate form. Any form of Business Associate Agreement, including the University form maintained in the Contracts Library, must be signed in connection with an underlying services agreement or other form of agreement with the vendor.
Prior to entering into a Business Associate Agreement, any vendor who wishes to provide Business Associate services to the University must undergo an information security risk analysis coordinated by University Information Security and meet University vendor and supplier requirements. Any issues identified in the information security risk analysis must be addressed by the vendor in a satisfactory manner before the University enters into a Business Associate Agreement with the vendor.
Where the University is asked to enter into a Business Associate Agreement as a Business Associate, the University’s Chief Health Information Compliance Officer/HIPAA Privacy Officer must review and approve the form of Business Associate Agreement to be used, and will consult with the University Information Security with respect to the University’s ability to meet the requirements of any such Business Associate Agreement.
The University of Minnesota Foundation in its capacity as an Institutionally Related Foundation may perform fundraising activities on behalf of University health care facilities, including M Health. In connection with its fundraising activities, the University of Minnesota Foundation is permitted to use certain demographic information of Individuals who receive treatment at University health care facilities in accordance with Health Information Privacy Laws and other applicable laws and regulations and as approved by HIPCO. All fundraising appeals made directly to Individuals must include information on how Individuals may opt out of future fundraising.
Any other organizations performing fundraising activities on behalf of University health care facilities must first enter into a services agreement and Business Associate Agreement with the University. The Business Associate Agreement must meet the requirements of this policy concerning Business Associates.
To help ensure compliance with this policy and the Health Information Privacy Laws, HIPCO may periodically post guidelines on its website to address specific areas of concern. Guidelines will also be communicated directly to impacted units, and will be updated as needed to ensure continued compliance. Units must take all reasonable steps to comply with applicable guidelines.
Patients of Health Care Providers and beneficiaries of Health Plans at the University:
- must receive a Notice of Privacy Practices in a form and manner approved by HIPCO and in a format that is accessible by the patient;
- must be permitted access to their records upon request;
- must be permitted to request amendments to their records, which requests must be reviewed on a timely basis and amendments made as appropriate; and
- must be permitted to request restrictions on the use or disclosure of their records, and all reasonable requests must be accommodated.
Use and disclosure of an Individual’s PHI must be limited to those uses and disclosures that are authorized by the Individual in a form and manner approved by HIPCO, or are otherwise authorized or permitted by Health Information Privacy Laws. Use of PHI for marketing purposes must be approved in advance by HIPCO.
Disclosures of PHI for purposes other than treatment, payment or health care operations that are not authorized by the Individual in writing or are not otherwise exempt from an accounting pursuant to Health Information Privacy Laws must be noted in the Individual’s record, and an accounting of such disclosures must be made available to the Individual upon request.
PHI is classified at the highest level of data security for the University, Private Highly Restricted, in accordance with Administrative Policy: Data Security Classification and related Appendix. PHI must be handled in accordance with the highest security level identified in the appendices of Administrative Policy: Information Security, and such other policies, procedures, standards and guidelines as may be developed for the handling of PHI by the University. Units that handle PHI are required to participate in information security risk assessments as required by Administrative Policy: Information Security Risk Management.
Release and disclosure of PHI by the Individual or by organizations other than the University, such as the media, does not change the data security classification of such PHI for the University, nor does it allow such PHI to be handled in any manner other than as set forth in this policy or other applicable University policies and procedures or Health Information Privacy Laws.
To help ensure compliance with this policy and the Health Information Privacy Laws, HIPCO may periodically conduct privacy assessments of individual units that are subject to Health Information Privacy Laws. Individual units will be notified in advance of any such privacy assessments, and must cooperate in providing requested information and taking action to address any concerns identified in any privacy assessments.
University research including research team members from the University’s Health Care Components and involving individual health information must comply with Health Information Privacy Laws, Institutional Review Board (IRB) Policies, this policy and all other applicable University policies and guidelines, including securing research data in compliance with HIPAA and University policies. Use of PHI for research purposes is generally permitted where one of the following conditions is met:
- the Individual whose PHI will be used has signed an authorization form permitting the use of the PHI for research purposes. The authorization must be in a form approved by the IRB.
- the IRB has approved an alteration to or waiver of Individual authorization for use of PHI, as set forth in IRB Policies.
- the PHI is of decedents, is necessary for the research purposes, and is solely for research on the PHI of the decedents.
- the PHI is sought solely to prepare a research protocol or for similar purposes preparatory to research, the PHI will not be removed by the researcher in the course of the review, and the PHI is necessary for the research purposes.
- the PHI is a Limited Data Set and is subject to the University’s form of Data Use Agreement (available on the IRB website) or another form of Data Use Agreement approved by HIPCO. Requirements for the creation of a Limited Data Set can be found on the HIPCO website.
- the PHI is de-identified in accordance with HIPAA requirements and University policies. Requirements for the de-identification of PHI can be found on the HIPCO website.
Requests for the use of University of Minnesota Health data for research must be directed through the Clinical and Translational Science Institute’s data access and informatics consulting group (CTSI). Where the University is releasing PHI for research purposes and the release is pursuant to an IRB approval of a waiver of Individual authorization rather than authorization by the Individual, and the release is not part of a Limited Data Set subject to a Data Use Agreement, then the unit releasing the information must document the release so that it can provide an accounting of disclosures to the Individual whose information was released, in the event the Individual requests such an accounting. The information that must be documented includes the date the information was released, to whom the information was released, a description of the information released and the reason for the release. This information must be maintained for not less than six years from the date of the release of the information.
Sanctions for Violations
Any University employee, trainee, student or volunteer who violates this policy, any other University policies or procedures concerning PHI, or any federal or state law related to PHI, may be sanctioned. Sanctions for employees and trainees may include additional training, curtailing or otherwise altering job responsibilities, or other disciplinary action up to and including termination of employment. Sanctions for students may include additional training, or suspension or termination of enrollment in academic programs. Sanctions for volunteers may include additional training, or termination of volunteer participation in any University program or event.
In order to determine appropriate sanctions for employees and trainees, the appointing authority of the employee or trainee will consult with the Vice President and/or Dean (or the designee of the Vice President and/or Dean) of the employee or trainee, HIPCO and the Office of Human Resources. Appropriate sanctions for violations by students and volunteers will be determined by the Dean (or designee) of the applicable school in consultation with HIPCO. Factors to be considered in determining the appropriate sanctions include the person’s intent with respect to the violation, severity of the violation, history of any other violations, applicable processes for the specific employment category for employees and/or trainees, and whether any other organization is responding to the same violation by the same person (e.g., University of Minnesota Health, University of Minnesota Foundation).
In accordance with Administrative Policy: Retaliation, a person reporting a violation by any other person will not be retaliated against for such report.
Training regarding PHI and policies and procedures applicable to PHI must be provided to: (i) all employees, including student employees and trainees, of the units that comprise the Hybrid Entity; (ii) all students in the schools that comprise the Hybrid Entity; (iii) any volunteers that will be handling PHI or may have access to PHI on a regular basis; and (iv) anyone else that may be considered part of the University’s “work force” and is handling PHI. Training may also be provided to other units that handle sensitive health information or enter into Business Associate agreements. Training must be provided in a format that is accessible by all required recipients.
Employees must be trained within a reasonable time after beginning employment with the University, or after transitioning to a new position within the Hybrid Entity. Students must be trained within a reasonable time after enrollment. Volunteers must be trained prior to engaging in activities with access to PHI. Failure to take training in a reasonable time may result in sanctions for employees and students, and termination of relationships with volunteers. Check with your supervisor or the HIPCO website for guidance on when you must complete training.
HIPCO is responsible for the development of training materials, delivery of training materials, and communications about the timing and frequency of training. Individual units may require their employees, students and/or volunteers to take additional training, and/or require that the training be taken more frequently than is communicated by HIPCO.
Reason for Policy
To implement Board of Regents Policy: Protection of Individual Health Information (PDF), to comply with applicable state and federal laws, and to provide for the appropriate handling of PHI.