Pol-HIPAA Privacy Policy

policy policy hipaa privacy modified Wed Nov 25 2020 11:31:21 GMT-0500 (Eastern Standard Time)

UofL Logo

University of Louisville

OFFICIAL
UNIVERSITY
ADMINISTRATIVE
POLICY

POLICY NAME

HIPAA Privacy Policy

EFFECTIVE DATE

July 1, 2015

POLICY NUMBER

HPR-1.01

POLICY APPLICABILITY

This policy applies to University Employees (administrators, faculty, and staff).

REASON FOR POLICY

The colleges, schools, departments, and administrative business units of the University that have been designated to be within the Health Care Component of the University of Louisville’s Hybrid Covered Entity are responsible for complying with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Such compliance promotes a culture that adheres to the requirements of the regulations and values and protects the privacy of the Protected Health Information within its possession.  

POLICY STATEMENT

The colleges, schools, departments, and administrative business units of the University that have been designated to be within the Health Care Component of the University’s Hybrid Covered Entity are required to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by:

  1. Adhering to the University of Louisville Privacy Office HIPAA Policy Manual (available on the Privacy Office website).  Members of the Health Care Component may develop HIPAA privacy policies and procedures specific to the University area involved, provided that the policies and procedures are at least as stringent as the University of Louisville Privacy Office HIPAA Policy Manual.  
  2. Ensuring that all Workforce members of the Health Care Component know and understand the University of Louisville Privacy Office HIPAA Policy Manual, as well as the Health Care Component’s policies and procedures, as applicable, and where to access them.
  3. Ensuring that appropriate online and area-specific training are provided to all Workforce members who may have access to Protected Health Information.
RELATED INFORMATION

•        HIPAA Privacy Regulations and Guidance, U.S. Department of Health and Human Services website: http://www.hhs.gov/ocr/privacy/index.html 

•        Privacy Office website: http://louisville.edu/privacy

•        University Policy and Procedure Templates: http://louisville.edu/policies/policy-resources

DEFINITIONS

Covered Entity means:

  1. A health plan.
  2. A health care clearinghouse.
  3. A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.


Hybrid Covered Entity
means: 

A single legal entity that is a Covered Entity whose business activities include both HIPAA covered and non-covered functions. The entity is permitted to place areas which engage in activities regulated under HIPAA into a health care component.  The areas inside the health care component must follow HIPAA regulations; however, the areas which are outside the health care component are not bound by HIPAA regulations.  The current designated health care component can be found on the Privacy Office website at http://louisville.edu/privacy


Protected Health Information
means:

All "individually identifiable health information" held or transmitted by a Covered Entity or its business associate, in any form or media, whether electronic, paper, or oral. 

“Individually identifiable health information” is information, including demographic data, that relates to:

•the individual’s past, present or future physical or mental health or condition,

•the provision of health care to the individual, or

•the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 

Protected Health Information excludes individually identifiable health information:

  1. Covered by the Family Educational Rights and Privacy Act, as amended (20 U.S.C. l 232g),
  2. In employment records held by a Covered Entity in its role as employer, and 
  3. Regarding a person who has been deceased for more than 50 years.

Workforce means:

Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.   For purposes of this definition, the University includes students as part of its Workforce.

PROCEDURES

The colleges, schools, departments, and administrative business units of the University that have been designated to be within the Health Care Component of the University of Louisville’s Hybrid Covered Entity are expected to:

  1. Review the University of Louisville Privacy Office HIPAA Policy Manual available on the Privacy Office website.
  2. If desired, develop official policies specific to their college, school, department, or administrative business unit.  Policies and Procedures within the Health Care Components must be at least as stringent as the University of Louisville Privacy Office HIPAA Policy Manual. 
  3. Develop area-specific procedures to delineate the steps to be performed to implement the University and area policies in a compliant manner.
  4. Train all Workforce members who may have access to Protected Health Information regarding HIPAA policies and procedures.
  5. Ensure all Workforce members know how to access University and area-specific HIPAA policies and procedures.
ADMINISTRATIVE AUTHORITY

Vice President for Risk, Audit, and Compliance

RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION

Privacy Office
425 West Lee St.
Louisville, KY  40208
Phone:  502-852-4062
Email:  privacy@louisville.edu

HISTORY

1/25/2019 - updated Administrative Authority and Privacy Office contact information.

Revision Date(s): January 25, 2019; November 24, 2020
Reviewed Date(s): 

The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.