Pol-HIPAA Privacy Policy Management

policy HIPAA privacy management modified Tue Mar 17 2020 13:43:30 GMT-0400 (Eastern Daylight Time)

UofL Logo

University of Louisville

OFFICIAL
UNIVERSITY
ADMINISTRATIVE
POLICY

POLICY NAME

HIPAA Privacy Policy Management

EFFECTIVE DATE

July 1, 2015

POLICY NUMBER

HPR-1.01

POLICY APPLICABILITY

This policy applies to the University Employees (administrators, faculty, and staff).

POLICY STATEMENT

Members of the Health Care Component of the University who are responsible for the management of their areas need to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by:

A. Developing HIPAA Privacy policies and procedures specific to the University area involved, based on the guidance documents available on the Privacy Office website.

B. Ensuring that all Workforce members of the area know and understand the policies and procedures and where to access them.

C. Ensuring that appropriate general online and area-specific training are provided for all personnel within their given area who could have access to Protected Health Information.

REASON FOR POLICY

The University of Louisville is responsible for complying with the requirements of HIPAA that are relevant to those areas of the University covered by the HIPAA regulations.  This includes those areas that qualify as Covered Entities under HIPAA, as well as those functioning as Business Associates for the University’s Covered Entities.  Such compliance promotes a culture that adheres to the requirements of the regulations and values and protects the privacy of the Protected Health Information within its possession.  

RELATED INFORMATION
  • HIPAA Privacy Regulations and Guidance on the U.S. Department of Health and Human Services website:  

  http://www.hhs.gov/ocr/privacy/index.html

DEFINITIONS

Business Associate (This is an abbreviated definition.  For the full definition, see page 11 of 

https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf (PDF).) 

Business Associate means a person who:

On behalf of a Covered Entity or Business Associate, but other than in the capacity of a member of the Workforce of such Covered Entity or 

Business Associate:

A.  Creates, receives, maintains, or transmits Protected Health Information for a function or activity regulated by HIPAA, or

B.  Provides other services that involve the disclosure of Protected Health Information to the person.

Covered Entity means:

A.  A health plan.

B.  A health care clearinghouse.

C.  A health care provider who transmits any health information in electronic form in connection with a transaction covered by     HIPAA.

Health Care Component means:

Those areas of the University that meet HIPAA’s definition of Covered Entity or that are functioning as a Business Associate for a Covered Entity area.  The current structure can be found on the Privacy Office website:

http://louisville.edu/privacy/covered-entity-status

Protected Health Information means individually identifiable health information that is:

A.     Transmitted by electronic media;

B.     Maintained in electronic media; or

C.     Transmitted or maintained in any other form or medium.

Protected Health Information excludes individually identifiable health information:

A.     Covered by the Family Educational Rights and Privacy Act, as amended (20 U.S.C. 1232g);

B.     In employment records held by a covered entity in its role as employer; and

C.     Regarding a person who has been deceased for more than 50 years.

Workforce means:

Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate.

PROCEDURES

Members of the Health Care Component of the University who are responsible for the management of their areas need to:

  • Review the guidance documents available on the Privacy Office website.
  • For those relevant to the work performed in their areas, develop the guidance documents into official policies for their areas.
  • Develop area-specific procedures to delineate the steps to be performed to implement the policy compliantly.
  • Train all relevant workforce members on the policies and procedures.
  • Maintain the policies and procedures in a location accessible to all workforce members, and ensure that the location is known.
ADMINISTRATIVE AUTHORITY

Vice President for Risk, Audit, and Compliance

RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION

Privacy Office
425 West Lee St.
Louisville, KY  40208
Phone:  502-852-4062
Email:  
privacy@louisville.edu

HISTORY

1/25/2019 – updated Administrative Authority and Privacy Office contact information

Revision Date(s): January 25, 2019

Reviewed Date(s): 

The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.