University of Minnesota  Administrative Policy

Protected Health Information

Policy Statement

The University is committed to handling Protected Health Information (PHI) in compliance with all applicable laws and regulations, including but not limited to HIPAA, HITECH, and Minnesota law (collectively “Health Information Privacy Laws”). This policy applies to all University employees, trainees, students and volunteers who are affiliated with a unit of the University that:

  • is designated as a Health Care Component of the University, or
  • has entered into a Business Associate Agreement or sub-contractor Business Associate Agreement, or otherwise handles PHI on behalf of an organization other than the University.   

This policy addresses administrative requirements, breaches, Business Associates, fundraising, guidelines, individual rights, information security, privacy assessments, research, sanctions for violations of this or other University policies and procedures concerning PHI, and training. Units at the University that handle or access PHI may implement additional policies, procedures and guidelines concerning PHI, provided they do not conflict with this policy.

Administrative Requirements

To comply with the requirements of the Health Information Privacy Laws and to secure PHI appropriately, the University must:

  • maintain policies and procedures designed to comply with Health Information Privacy Laws;
  • designate a Chief Health Information Compliance Officer/HIPAA Privacy Officer to develop and implement such policies and procedures;
  • establish and maintain appropriate administrative, technical and physical safeguards to protect the privacy of PHI, which safeguards will be established and maintained by the Chief Health Information Compliance Officer/HIPAA Privacy Officer in collaboration with the Chief Information Security Officer/HIPAA Security Officer and others;
  • maintain documentation of its status under HIPAA as a "Hybrid Entity," which documentation will be maintained on the University Health Information Privacy and Compliance Office website; and 
  • maintain all documentation required by Health Information Privacy Laws for not less than 6 years.

Breaches

Members of the University community who know of or suspect any acquisition, access, use or disclosure of PHI not authorized by the Individual whose PHI is involved, or not otherwise specifically authorized by law (a “Breach”) must report the Breach to the Health Information Privacy and Compliance Office (HIPCO). Reports of Breaches or suspected Breaches can be made anonymously, by phone or by email as outlined on the HIPCO website. Breaches of PHI in any form, whether electronic, paper, verbal or other media, must be reported.  

HIPCO will coordinate an investigation of any reported Breach and assess whether notification regarding the Breach must be provided to the Individual whose PHI has been breached, the federal department of Health and Human Services, and the media, all in accordance with the requirements of Health Information Privacy Laws.

Additionally, all suspected breaches of University data must be reported in accordance with Administrative Policy: Data Security Breach.

Business Associates

Units must enter into a Business Associate Agreement with any vendor that: (i) provides data transmission services to the University with respect to PHI and requires access on a routine basis to such PHI; or (ii) will create, receive, maintain or transmit PHI on behalf of the University. The University form of Business Associate Agreement (DOCX) is maintained in the Contracts Library. It must be signed on behalf of the University by a representative of the unit retaining the vendor, as well as by the University’s Chief Health Information Compliance Officer. If a unit does not use the form of Business Associate Agreement maintained in the Contracts Library, the alternate form of Business Associate Agreement must be reviewed and approved by HIPCO prior to execution of the alternate form. Any form of Business Associate Agreement, including the University form maintained in the Contracts Library, must be signed in connection with an underlying services agreement or other form of agreement with the vendor.

Prior to entering into a Business Associate Agreement, any vendor who wishes to provide Business Associate services to the University must undergo an information security risk analysis coordinated by University Information Security and meet University vendor and supplier requirements. Any issues identified in the information security risk analysis must  be addressed by the vendor in a satisfactory manner before the University enters into a Business Associate Agreement with the vendor.

Where the University is asked to enter into a Business Associate Agreement as a Business Associate, the University’s Chief Health Information Compliance Officer/HIPAA Privacy Officer must review and approve the form of Business Associate Agreement to be used, and will consult with the University Information Security with respect to the University’s ability to meet the requirements of any such Business Associate Agreement.

Fundraising

The University of Minnesota Foundation in its capacity as an Institutionally Related Foundation may perform fundraising activities on behalf of University health care facilities, including M Health. In connection with its fundraising activities, the University of Minnesota Foundation is permitted to use certain demographic information of Individuals who receive treatment at University health care facilities in accordance with Health Information Privacy Laws and other applicable laws and regulations and as approved by HIPCO. All fundraising appeals made directly to Individuals must include information on how Individuals may opt out of future fundraising. 

Any other organizations performing fundraising activities on behalf of University health care facilities must first enter into a services agreement and Business Associate Agreement with the University. The Business Associate Agreement must meet the requirements of this policy concerning Business Associates.

Guidelines

To help ensure compliance with this policy and the Health Information Privacy Laws, HIPCO may periodically post guidelines on its website to address specific areas of concern.  Guidelines will also be communicated directly to impacted units, and will be updated as needed to ensure continued compliance. Units must take all reasonable steps to comply with applicable guidelines.

Individual Rights

Patients of Health Care Providers and beneficiaries of Health Plans at the University:

  • must receive a Notice of Privacy Practices in a form and manner approved by HIPCO and in a format that is accessible by the patient;
  • must be permitted access to their records upon request;
  • must be permitted to request amendments to their records, which requests must be reviewed on a timely basis and amendments made as appropriate; and
  • must be permitted to request restrictions on the use or disclosure of their records, and all reasonable requests must be accommodated.

Use and disclosure of an Individual’s PHI must be limited to those uses and disclosures that are authorized by the Individual in a form and manner approved by HIPCO, or are otherwise authorized or permitted by Health Information Privacy Laws. Use of PHI for marketing purposes must be approved in advance by HIPCO.

Disclosures of PHI for purposes other than treatment, payment or health care operations that are not authorized by the Individual in writing or are not otherwise exempt from an accounting pursuant to Health Information Privacy Laws must be noted in the Individual’s record, and an accounting of such disclosures must be made available to the Individual upon request.

Information Security

PHI is classified at the highest level of data security for the University, Private Highly Restricted, in accordance with Administrative Policy: Data Security Classification and related Appendix. PHI must be handled in accordance with the highest security level identified in the appendices of Administrative Policy: Information Security, and such other policies, procedures, standards and guidelines as may be developed for the handling of PHI by the University. Units that handle PHI are required to participate in information security risk assessments as required by Administrative Policy: Information Security Risk Management.

Release and disclosure of PHI by the Individual or by organizations other than the University, such as the media, does not change the data security classification of such PHI for the University, nor does it allow such PHI to be handled in any manner other than as set forth in this policy or other applicable University policies and procedures or Health Information Privacy Laws.

Privacy Assessments

To help ensure compliance with this policy and the Health Information Privacy Laws, HIPCO may periodically conduct privacy assessments of individual units that are subject to Health Information Privacy Laws. Individual units will be notified in advance of any such privacy assessments, and must cooperate in providing requested information and taking action to address any concerns identified in any privacy assessments.

Research

University research including research team members from the University’s Health Care Components and involving individual health information must comply with Health Information Privacy Laws, Institutional Review Board (IRB) Policies, this policy and all other applicable University policies and guidelines, including securing research data in compliance with HIPAA and University policies. Use of PHI for research purposes is generally permitted where one of the following conditions is met:

  • the Individual whose PHI will be used has signed an authorization form permitting the use of the PHI for research purposes.  The authorization must be in a form approved by the IRB.  
  • the IRB has approved an alteration to or waiver of Individual authorization for use of PHI, as set forth in IRB Policies.
  • the PHI is of decedents, is necessary for the research purposes, and is solely for research on the PHI of the decedents.
  • the PHI is sought solely to prepare a research protocol or for similar purposes preparatory to research, the PHI will not be removed by the researcher in the course of the review, and the PHI is necessary for the research purposes.
  • the PHI is a Limited Data Set and is subject to the University’s form of Data Use Agreement (available on the IRB website) or another form of Data Use Agreement approved by HIPCO. Requirements for the creation of a Limited Data Set can be found on the HIPCO website.
  • the PHI is de-identified in accordance with HIPAA requirements and University policies.  Requirements for the de-identification of PHI can be found on the HIPCO website.

Requests for the use of University of Minnesota Health data for research must be directed through the Clinical and Translational Science Institute’s data access and informatics consulting group (CTSI). Where the University is releasing PHI for research purposes and the release is pursuant to an IRB approval of a waiver of Individual authorization rather than authorization by the Individual, and the release is not part of a Limited Data Set subject to a Data Use Agreement, then the unit releasing the information must document the release so that it can provide an accounting of disclosures to the Individual whose information was released, in the event the Individual requests such an accounting. The information that must be documented includes the date the information was released, to whom the information was released, a description of the information released and the reason for the release. This information must be maintained for not less than six years from the date of the release of the information.

Sanctions for Violations

Any University employee, trainee, student or volunteer who violates this policy, any other University policies or procedures concerning PHI, or any federal or state law related to PHI, may be sanctioned. Sanctions for employees and trainees may include additional training, curtailing or otherwise altering job responsibilities, or other disciplinary action up to and including termination of employment. Sanctions for students may include additional training, or suspension or termination of enrollment in academic programs. Sanctions for volunteers may include additional training, or termination of volunteer participation in any University program or event.

In order to determine appropriate sanctions for employees and trainees, the appointing authority of the employee or trainee will consult with the Vice President and/or Dean (or the designee of the Vice President and/or Dean) of the employee or trainee, HIPCO and the Office of Human Resources. Appropriate sanctions for violations by students and volunteers will be determined by the Dean (or designee) of the applicable school in consultation with HIPCO. Factors to be considered in determining the appropriate sanctions include the person’s intent with respect to the violation, severity of the violation, history of any other violations, applicable processes for the specific employment category for employees and/or trainees, and whether any other organization is responding to the same violation by the same person (e.g., University of Minnesota Health, University of Minnesota Foundation).

In accordance with Administrative Policy: Retaliation, a person reporting a violation by any other person will not be retaliated against for such report.

Training

Training regarding PHI and policies and procedures applicable to PHI must be provided to:  (i) all employees, including student employees and trainees, of the units that comprise the Hybrid Entity; (ii) all students in the schools that comprise the Hybrid Entity; (iii) any volunteers that will be handling PHI or may have access to PHI on a regular basis; and (iv) anyone else that may be considered part of the University’s “work force” and is handling PHI. Training may also be provided to other units that handle sensitive health information or enter into Business Associate agreements. Training must be provided in a format that is accessible by all required recipients.

Employees must be trained within a reasonable time after beginning employment with the University, or after transitioning to a new position within the Hybrid Entity. Students must be trained within a reasonable time after enrollment. Volunteers must be trained prior to engaging in activities with access to PHI. Failure to take training in a reasonable time may result in sanctions for employees and students, and termination of relationships with volunteers. Check with your supervisor or the HIPCO website for guidance on when you must complete training.

HIPCO is responsible for the development of training materials, delivery of training materials, and communications about the timing and frequency of training. Individual units may require their employees, students and/or volunteers to take additional training, and/or require that the training be taken more frequently than is communicated by HIPCO.

Reason for Policy

To implement Board of Regents Policy: Protection of Individual Health Information (PDF), to comply with applicable state and federal laws, and to provide for the appropriate handling of PHI.

Contacts

SubjectContactPhoneEmail
Primary Contact(s)Lauren Popp [email protected]
General QuestionsHealth Information Privacy and Compliance Office612-624-7447[email protected]
PHI Breach ReportingHealth Information Privacy and Compliance Office612-624-7447[email protected]
Information SecurityBrian Dahlin612-625-1505[email protected]
Responsible Individuals
Responsible Officer Policy Owner Primary Contact
  • Vice President for Clinical Affairs
  • Administrative Director 1
  • Lauren Popp
    Administrative Director 1

Definitions

Business Associate

A person (other than an employee or member of the work force of the Covered Entity) or organization who (i) on behalf of a Covered Entity, creates, receives, maintains or transmits PHI, or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, technology, financial or other services to a Covered Entity and where the provision of the service involves the disclosure of PHI from the Covered Entity to the Business Associate.

Business Associate Agreement

An agreement between a Covered Entity and a Business Associate, or between a Business Associate and a sub-contractor, that requires the Business Associate or sub-contractor, as applicable, to comply with HIPAA in the handling of PHI. 

Covered Entity

A Health Care Provider, Health Plan or a health care clearinghouse.

Covered Functions

Those functions of a Covered Entity the performance of which makes the entity a Health Plan, Health Care Provider, or health care clearinghouse.

Data Use Agreement

An agreement between a Covered Entity and a recipient of a Limited Data Set of the Covered Entity.

Health Care Component

A component, unit, or department in a Hybrid Entity designated as part of the Hybrid Entity.

Health Care Provider

A person or organization providing health care to individual patients and transmitting health information in electronic form in accordance with federal standards to obtain payment for such health care services from insurers and others.

Health Information Privacy Laws

HIPAA, HITECH, Minnesota Health Records Act and other statutes, laws, rules and regulations applicable to the handling of individual health information.

Health Plan

A group health plan, HMO, health insurance issuer or any individual or group plan that provides or pays the cost of medical care.

HITECH

Health Information Technology for Economic and Clinical Health Act and its implementing regulations and any updates or amendments to the same.

HIPAA

Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and any updates or amendments to the same.

Hybrid Entity

A single legal entity that is a Covered Entity whose business activities include both covered and non-covered functions and has designated its Health Care Components which comprise the Hybrid Entity in accordance with HIPAA. The University’s Health Care Components are identified on HIPCO’s website.

Individual

The person who is the subject of PHI.

Institutionally Related Foundation

A foundation that qualifies as a nonprofit charitable foundation under section 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to a Covered Entity.

IRB

Institutional Review Board.

Limited Data Set

PHI that excludes numerous direct identifiers of Individuals and the Individuals’ relatives, employers and household members. More information on the creation of Limited Data Sets can be found on the HIPCO website. 

Notice of Privacy Practices

A notice to Individuals from Health Plans and Health Care Providers that identifies the rights of Individuals with respect to their PHI.

Protected Health Information (PHI)

Information transmitted or maintained in any form or medium (electronic, paper, oral or other) that (i) is created or received by a Covered Entity or any Health Care Component of a Hybrid Entity, (ii) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (iii) is identifiable to an individual or there is a reasonable basis to believe can be used to identify an individual. PHI includes any individual health information created, collected or received by any Health Care Component of the University for either treatment or research purposes. 

Responsibilities

Chief Health Information Compliance Officer/HIPAA Privacy Officer

Provides direction to and manages the Health Information Privacy and Compliance Office.

Health Information Privacy and Compliance Office

Develops and administers the University’s compliance programs and initiatives involving PHI.

HIPAA Steering Committee

Oversight committee that reviews and provides direction on issues brought by the Health Information Privacy and Compliance Office. Chaired by the VP for Clinical Affairs with representation from OHR, OIC, OIT, Health Sciences Technology, OGC and RIO.

Unit Privacy and Compliance Officers

Perform duties at the unit level that align with the University’s compliance programs and initiatives; may develop more detailed policies and procedures applicable to a respective unit.

University employees, trainees, students and volunteers

Comply with the requirements of this policy, any applicable unit policies and procedures, and the Health Information Privacy Laws; report Breaches to the Health Information Privacy and Compliance Office.

VP, Health Sciences

Appoints the Chief Health Information Compliance Officer/HIPAA Privacy Officer; chairs the HIPAA Steering Committee.

History

Amended

January 2020 -

Comprehensive review.

  1. Simplified language for clarification;
  2. Incorporated additional activities undertaken by HIPCO since the last comprehensive review, including the posting of guidelines and privacy assessments;
  3. Clarified the requirements for security assessments of business associates.

Amended

August 2017 - New appendix and form added related to the use of text messages to communicate with research participants.

Effective

January 2016 - New Policy. 1. Consolidates information from three existing policies and 23 procedures, and provides better organization of the information. 2. Applies to units who enter into Business Associate agreements to handle PHI of organization other than the University. 3. Expands the language and sanctions associated with policy violations, which were based on modifications in the law and in the focus of the enforcement agency (HHS/Office of Civil Rights).