AD22 Health Insurance Portability and Accountability Act (HIPAA)
Subject Matter Expert:
Policy Steward:Senior Vice President and Chief of Staff>
To describe the responsibilities of The Pennsylvania State University (“University”) under the Health Insurance Portability and Accountability Act of 1996 and its implementing federal regulations (collectively, “HIPAA”).
Covered Component -An area within a Hybrid Entity that is a health care provider, health plan, or health care clearinghouse that transmits health information in electronic form in connection with a covered transaction. A Covered Component must comply with HIPAA.
Covered Transaction– The transmission of information between two parties to carry out financial or administrative activities related to health care (e.g. health claims, payment, coordination of benefits, enrollment or disenrollment, eligibility for a health plan, and other transactions that the Secretary of the Department of Health and Human Services may prescribe by regulation 45 CFR § 160.103).
Hybrid Entity-An organization that performs both HIPAA-covered and non-covered functions as part of its business.
National Institute of Standards and Technology (NIST) – Agency responsible for developing standards and guidelines, including minimum requirements, used by federal agencies in providing adequate information security for the protection of agency operations and assets.
Protected Health Information (PHI) - Individually identifiable health information that is collected from an individual, created or received by a health care provider, health plan, health care clearinghouse, or other employee of one of the Covered Components of the University. This PHI is confidential and must be treated as protected under HIPAA. Protected Health Information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
This policy is applicable to the University’s academic and administrative units, except the College of Medicine and Hershey Medical Center, and applies to all units determined to be Covered Components under HIPAA.
I. Designation of Covered Components
The University is considered a Hybrid Entity under HIPAA as an organization whose activities include both HIPAA-covered and non-covered functions. As such, the University has identified specific units to be Covered Components that are required to meet specific standards under HIPAA as participants in the delivery of health care, paying for health care, and providing operational support for health care services. In addition, units providing services and support functions to those Covered Components involved in treatment, payment, and health care operations must meet specific requirements under HIPAA. A summary of the HIPAA privacy regulations are located at 45 CFR Part 160 and Subparts A and E of Part 164.
A list of the University’s identified Covered Components can be obtained, per request, from the HIPAA Compliance Team at email@example.com.
II. Requirements for Covered Components
Covered Components of the University and their individual employees, students and volunteers must comply with the following privacy and security practices in the use, storage and disclosure of protected health information as required by HIPAA.
PHI obtained by those involved in providing health care will be recorded in a medical record and used to determine the course of treatment. Other members of the health care team may use this record to help in treatment and in order to coordinate the different services individuals might need, such as prescriptions, lab work, and x-rays. If an individual is referred to another clinician or hospital, PHI regarding their treatment at the University may be shared with these health care providers without the individual’s authorization, with the exception of mental health records.
Health care personnel in a Covered Component may use PHI to create a bill to be sent to an individual patient or a third-party payor like an insurance company without the individual’s authorization, unless the individual specifically opts out of submitting the bill to insurance and self-pays for the health care services. The information on or accompanying the bill may include PHI such as an individual's diagnosis, procedures, and supplies used.
Standard Electronic Transactions
Covered Components routinely billing for their services, performing transactions covered under HIPAA, and performing those transactions electronically must comply with the standard transaction code sets of HIPAA implemented by the Centers for Medicare and Medicaid Services.
Quality Improvement Activities
Members of the clinical staff of a Covered Component, the risk or quality improvement manager, or members of the quality improvement team may use PHI without the individual’s authorization to conduct quality assessment and improvement activities and case management and care coordination efforts. Covered Components may use PHI to review treatment and services and to evaluate the performance of staff involved in providing care to patients.
Minimum Necessary Use or Disclosure
Staff employed within the Covered Components shall be granted access only to the minimum amount of PHI required to perform their job functions, required by 45 164.502(b), 162.514 (d). Moreover, for any PHI disclosure, the Covered Component must develop standard criteria to limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
Security of Electronic PHI (ePHI)
All Covered Components and members of their workforce (employees, students, and volunteers) must take appropriate and reasonable measures, based on the NIST administrative, technical and physical safeguards, to protect the integrity, confidentiality, and availability of PHI. Specifically, Covered Components must assess the needs for such safeguards, select and implement protections appropriate for the Covered Component, and collaborate with the University’s HIPAA Security Officer, in the process of assessing and implementing such safeguards. These safeguards must protect PHI from any intentional or unintentional use or disclosure that is a violation of the standards contained in this policy. A summary of The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
In no case will PHI be transmitted electronically, unencrypted or reside on any system without being encrypted at rest, unless appropriately discussed with the HIPAA Privacy and Security Officers. Additional information pertaining to the protection of Personally Identifiable Information (PII) can be referenced in Policy AD53 and its corresponding Standard.
Develop Access Control of PHI
All Covered Components must develop policies that identify the types of persons within their unit that need access to PHI and the specific PHI to which they need access.
Notice of Privacy Practices
Each Covered Component that has a direct treatment relationship with an individual must provide a Notice of Privacy Practices (the "Notice") to such individual upon the first delivery of services following the effective date of this policy. If the first delivery of services is an emergency situation, the Notice may be provided as soon as reasonably practical. The Covered Component must make a good faith effort to obtain a written acknowledgment from the individual that a Notice was provided, and if not obtained, the good faith efforts to obtain the individual's acknowledgment and why it was not obtained. The Notice must be readily available at all practice sites of Covered Components for distribution upon request, and must be posted for public view at an easily visible location.
Use of Support Services from Outside Vendors
A Covered Component may need to contract or otherwise arrange for services of a business, organization, or an individual who is not employed by the University (a "vendor") in order to perform tasks or services in support of the operations of the Covered Component. If the vendor will have access to PHI in the course of performing such services, a Business Associate Agreement between the University and the vendor must be in place prior to commencement of work. The University Purchasing Office may be responsible for the preparation and processing of Business Associate Agreements, if appropriate, and in coordination with the HIPAA Privacy Officer, HIPAA Security Officer, Risk Management, and the Office of General Counsel (OGC).
Access to PHI by Other University Units and Employees
A Covered Component may not disclose PHI, or allow the opportunity for access to PHI, to any University employee who is not assigned to work in a Covered Component as designated in Part I of this policy, unless (a) the individual has signed a HIPAA-Compliant Authorization Form for such release; (b) such disclosure or access is necessary for the treatment of patients, for obtaining payment for services, or for the operation of the Covered Component; (c) such disclosure or access has been approved for research in accordance with Policy RP07; (d) such disclosure or access is authorized in advance by the HIPAA Privacy Officer; or (e) such disclosure, or access is authorized by the Office of General Counsel, pursuant to section III.(B). and III.(I)., below.
Disposal of Paper and Electronic Records and Media Containing PHI
Covered Components must establish safeguards for proper, HIPAA-Complaint disposal of paper and electronic records and media containing PHI. If Covered Components do not shred paper products internally in a secure manner (cross-cut shredding) and outside services are required, the Covered Component must use the University approved document destruction service. If alternative methods are used, they must be approved by the HIPAA Privacy and Security Officers. The methods of disposal of electronic records and media must meet standards established by the University's Office of Information Security. Personal computers and servers containing PHI may only be disposed of in accordance with the procedures established by the Office of Information Security, and in accordance with Policy AD35.
Covered Components cannot use or disclose PHI for purposes of research, except as approved by the Office of Research Protections (See Policy RP07). This restriction applies to research proposed by University faculty, staff and students, as well as to research proposed by any other person or organization.
III. Disclosure of PHI Outside of Covered Components
Covered Components may disclose an individual's PHI in accordance with the terms of a written and signed HIPAA-Compliant Authorization Form furnished by that individual.
As Required by Law
Covered Components may disclose PHI about individuals without their authorization when required to do so by federal, state or local law. Questions or concerns regarding disclosures pursuant to this section should be directed to the University’s Office of General Counsel.
To Avert A Serious Threat to Health and Safety
Covered Components may use and disclose PHI about individuals without their authorization when necessary to prevent a serious threat to the individual's health and safety or the health and safety of the public or another person. Any disclosure to prevent a serious threat to health and safety may only be to someone able to help prevent that threat.
Outside Individuals Involved in a Patient's Care
In life threatening/extreme emergency situations, Covered Components may use or disclose PHI without the individual's authorization to notify, or assist in notifying a family member, personal representative, or another person responsible for the care of another individual, regarding the location and general condition of the individual. Covered Components may release PHI about individuals to a friend or family member who is involved in the health care of an individual. In addition,Covered Components may disclose PHI about the individual to an organization assisting in a disaster relief effort so that the individual's family can be notified about their condition, status and location.
Public Health Risks
Covered Components may disclose PHI without the individual’s authorization to certain public health authorities and others responsible for ensuring public health and safety who are legally authorized to receive such reports for certain public health activities. These activities generally include the following:
- to prevent or control disease, injury or disability;
- to report births and deaths;
- to report child abuse or neglect;
- to report reactions to medications or problems with products;
- to notify people of recalls of products they may be using;
- to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and
- to notify the appropriate government authority if an individual has been the victim of abuse, neglect or domestic violence. This disclosure may occur only if the individual agrees or when the Covered Component is required or authorized by law.
Health Oversight Activities
PHI may be disclosed by Covered Components without the individual’s authorization to a health oversight agency for activities authorized by law. These oversight activities include,for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system,government programs, and compliance with civil rights laws.
Military and Veterans
PHI about members of the United States armed forces or foreign military personnel as requested by military command authorities to assure the proper execution of the military mission, may be disclosed by Covered Components without the individual’s authorization. This disclosure may occur only if the appropriate military authority has published a notice in the Federal Register with the following information:
- appropriate military command authorities or the appropriate foreign military authority, and;
- purposes for which the protected PHI may be issued or disclosed.
- appropriate military command authorities or the appropriate foreign military authority, and;
PHI may be disclosed by Covered Components without the individual’s authorization to the extent authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs established by law.
Lawsuits and Disputes
At the direction of the Office of General Counsel, PHI may be disclosed by Covered Components in connection with a lawsuit or dispute in response to a court or administrative order. Covered Components may also disclose medical information in response to a subpoena,discovery request, or other lawful process by someone else involved in the dispute if such subpoena provides “satisfactory assurances”, usually in the form of a Notice of Intent, that ensures the individual whose PHI is sought has been notified of the subpoena and has had appropriate time to quash the subpoena and/or in response to a HIPAA compliant authorization. A Covered Component may use and disclose PHI without the individual’s authorization in defending or asserting a lawsuit involving an individual's treatment by that Covered Component. Questions or concerns regarding disclosures pursuant to this section should be directed to the University’s Office of General Counsel.
PHI may be disclosed by Covered Components without the individual’s authorization if asked to do so by a law enforcement official:
- at the direction of the Office of General Counsel in response to a court order, subpoena (with “satisfactory assurances”), grand jury subpoena (no satisfactory assurances required), search warrant or summons issued by a judge;
- to identify or locate a suspect, fugitive, material witness, or missing person by providing only certain limited disclosures of PHI;
- about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement;
- to report child abuse to ChildLine;
- when required by state law (e.g. incidents of gunshot or stab wounds);
- to report PHI that the Covered Component in good faith believes to be evidence of a crime that occurred on the Covered Component’s premises; and
- as necessary to alert law enforcement about criminal activity, specifically, the commission and nature of the crime, the location of the crime or any victims and the identity, description and location of the perpetrator the crime.
National Security and Intelligence Activities
PHI may be disclosed by Covered Components to authorized federal officials without the individual consent for intelligence, counterintelligence, and other national security activities authorized by law.
Protective Services of the President of the United States and Others
PHI may be disclosed by Covered Components to authorized federal officials without the individual’s consent so they may provide protection to the President of the United States,other authorized persons or foreign heads of state or conduct special investigations.
PHI may be disclosed by Covered Components without the individual’s consent about inmates of a correctional institution or under the custody of a law enforcement official to the correctional institution or law enforcement official. This information maybe disclosed if it is necessary for the institution to provide the inmate with health care; to protect the inmate's health and safety or the health and safety of others; or for the safety and security of the correctional institutions.
Coroners, Medical Examiners and Funeral Directors
PHI may be disclosed by Covered Components to a coroner or medical examiner. This may be necessary to identify a deceased person or to determine the cause of death. In addition, Covered Components may disclose PHI to funeral directors as necessary to carry out their duties with respect to the deceased.
Accounting for Disclosures
All Covered Components must have systems in place for the accounting of disclosures of PHI. Specifically, Covered Components must be able to list all disclosures the Covered Component has made of the individual’s PHI that does not include disclosures to the individual, disclosures for treatment, payment or operations purposes, those disclosures previously authorized by the individual, national security or intelligence purposes or to correctional institutions. Such disclosures must follow the retention schedule in University Policy AD35, University Archives and Record Management.
IV. Individual Rights to Be Assured by Covered Components
Individuals have the following rights regarding PHI that Covered Components maintain about them:
Right to Inspect and Copy
Individuals have the right to inspect and copy PHI that may be used to make decisions about their own care. This includes medical and billing records, but does not include psychotherapy notes. To inspect and copy PHI,individuals must submit their request in writing to the Covered Component creating or using that PHI. If individuals request a copy of the PHI, the Covered Component may charge a fee for the costs of copying, mailing or other supplies associated with the request. The Covered Component may deny a request to inspect and copy in certain very limited circumstances. If an individual is denied access to PHI, they may request that the denial be reviewed. Another licensed health care professional chosen by the University will review the request and the denial. The person conducting the review will not be the person who denied the original request.
Right to Amend
If an individual maintains that PHI the Covered Component has about them is incorrect or incomplete, they may ask the Covered Component to amend the information. The individual has the right to request an amendment for as long as the information is kept by or for the Covered Component.
To request an amendment, a request must be made in writing and submitted to the Covered Component responsible for the maintenance of that information. In addition, the individual must provide a detailed reason that supports the request.
A Covered Component may deny the request for an amendment if it is not in writing or does not include a reason to support the request. In addition, Covered Components may deny the request if the individual asks to amend information that:
- was not created by the Covered Component;
- is not part of the PHI kept by or for the Covered Component;
- is not part of the information which an individual would be permitted to inspect and copy; or
- is accurate and complete in the opinion of the health care professional who documented it.
Right to an Accounting of Disclosures
Individuals have the right to request an accounting of disclosures of their PHI that occurred within the last six (6) years, as referenced in Section III, Subpart O, above.
To request an accounting of disclosures, the individual must submit a request in writing to the Covered Component responsible for that PHI. The request must state a time period, which may not be longer than six (6) years from the date of the request. The request should indicate in what form the individual wants the list (e.g., on paper,electronically). Covered Components may charge individuals for the cost of providing the list. Covered Components must notify individuals of the cost involved and individuals may choose to withdraw or modify their request at that time before any costs are incurred.
Right to Request Restrictions
Individuals have the right to request a restriction or limitation on the PHI used by Covered Components or disclosed about the individual for treatment, payment or health care operations. Covered Components are not required to agree to the individual's request. However, Covered Components may not disclose an individual’s PHI to their health insurer if the individual pays out of pocket, in full, for their care and specifically requests this restriction.
Restrictions must be requested in writing to the Covered Components responsible for the use and disclosure of that PHI. In the request, the individual must tell the Covered Component (1) what information they want to limit; (2) whether they want to limit use, disclosure or both; and (3) to whom they want the limits to apply, for example, disclosure to a spouse, parent or health insurer.
Right to Request Confidential Communications
Individuals have the right to request that University personnel communicate with them about health care matters in a certain way or at a certain location. For example, the individual can request that they only be contacted at work. To request confidential communications, individuals must make their request in writing to the Covered Component responsible for this communication.University personnel may not ask the individual the reason for the request. The responsible Covered Component shall accommodate all reasonable requests so long as that request does not violate the other protections specified in this policy or other state or federal law. Any request must specify how or where the individual wishes to be contacted.
Right to a Paper Copy of the Notice of Privacy Practices
The individual has the right to a paper copy of the Notice. Individuals may ask Covered Components to give them a copy of the Notice at any time. Even if an individual has agreed to receive the Notice electronically, they are still entitled to a paper copy of the Notice.
Right to Receive Notice of a Breach
Pursuant to the HIPAA Breach Notification Rule, an individual has a right to receive a written notice if their unsecured PHI has been breached while in the possession, custody or control of a Covered Component or a vendor working with the Covered Component. If you suspect a breach of unsecured PHI has occurred, immediately report this to firstname.lastname@example.org or email@example.com.
V. Administration and Compliance
A. Privacy Officer Designation .
The University shall designate a HIPAA Privacy Officer responsible for coordinating compliance with specific standards of the HIPAA Privacy Rule regulations.
B. Security Officer Designation
The University shall designate a HIPAA Security Officer responsible for coordinating compliance with specific standards of the HIPAA Security Rule regulations, in regards to the protection of Electronic Protected Health Information (ePHI).
Security standards under HIPAA, when issued, will be in coordination with the NIST safeguards, along with Penn State Policy AD95 and its corresponding Security Standards.
C. Health Care Component HIPAA Compliance
Each Covered Component must assign a staff member, within their area, the responsibility of HIPAA compliance and regulatory implementation to include both the Privacy and Security Rules.
Business Associate Agreements
The HIPAA Privacy and Security Officers will work with the University Purchasing Office, Risk Management, and the Office of General Counsel, when appropriate, to review and approve all Business Associated Agreements (BAA). The unit and/or Covered Component to which the contract applies to, is responsible for retaining an executed copy of the BAA and providing a copy to the HIPAA Compliance Team at firstname.lastname@example.org.
D. Complaints Under HIPAA
The University's HIPAA Privacy Officer will be responsible for the implementation and administration of an institutionally based complaint process in compliance with HIPAA. Patients may complain directly to the University's Privacy Office or to the Secretary of the U.S. Department of Health and Human Services if they believe their privacy rights have been violated. To contact the University's Privacy Office, complaints may be directed to:
HIPAA Privacy Officer
030 Technology Support Building
300 Science Park Road
State College, PA 16803
VI. Individual Rights and Responsibilities
A. Training Requirements
Employees, students, and volunteers within a Covered Component of the University must receive training to assure their understanding of HIPAA privacy policies and procedures. This training must be appropriate for the members of the workforce to carry out their function within their employment, educational or volunteering area. Each new member of the Covered Components' workforce must also be trained within a reasonable period of time after the new staff member begins their employment or activity with the University. In addition, all employees of the Covered Components must receive training updates when there is a substantial change in the privacy policies that would affect the ability to do their job.
At the conclusion of all training sessions, participants shall sign and date a statement indicating their understanding and agreeing to comply with the privacy policies and procedures of the University and other requirements as defined in the training session. This statement shall further include information about the documents provided as part of the training and an acknowledgment of the sanctions for the failure to comply with this policy. The Covered Component will keep copies of the signed statements, pursuant to AD35.
B. Sanctions for Failure to Comply with this Policy
Failure to comply with the requirements of this policy may result in the imposition of sanctions in accordance with disciplinary policies or labor agreements applicable to University employees, including termination of employment. Students who fail to comply with the requirements of this policy may be subject to imposition of sanctions in accordance with student disciplinary policies, including dismissal from the University.
No University employee may intimidate, threaten, coerce,discriminate against, or take retaliatory action against any person receiving health care or other services, or for exercising their rights under HIPAA.
For questions, additional detail, or to request changes to this policy, please contact the Privacy Office.
Other Policies should also be referenced, especially the following:
AD35 - University Archives and Records Management
AD95 - Information Assurance and IT Security
AD96 - Acceptable Use of University Resources
RP07 - HIPAA and Research at Penn State University and The Milton S. Hershey Medical Center (Combining the Former Policies RP07 and RP08)
Most recent changes:
- August 30, 2018 - Editorial changes to update links to new policies (AD95 and AD96).
February 17, 2017 - Major changes throughout the policy to reflect current practice, bringing the policy language into compliance with federal regulations.
- January 22, 2013 - Editorial change: Counseling and Psychological Services (CAPS) was added to the list of units designated as covered components that are required to meet specific standards under the act as participants in the delivery of health care, paying for health care, and providing operational support for health care services.
- April 5, 2007 - Editorial change: address correction for Privacy Office in the Administration and Compliance section, #F-Complaints Under HIPAA.
- May 24, 2004 - Editorial change: address of Privacy Office changed from 320 Grange Building to 518 C Rider Building, 120 South Burrowes Street.
- April 18, 2003 - Editorial change: address of Privacy Office changed from 201 Old Main to 320 Grange Building.
- April 14, 2003 - New Policy.
Date Approved:February 15, 2017>
Date Published:February 17, 2017>