General Policies
University Policy Number 1118
Subject: Compliance with the Health Insurance Portability
and Accountability Act (HIPAA)
Responsible Parties: Dean of Students
Procedures: Not Applicable
Related University Policies: Not Applicable
I. SCOPE
The policy is promulgated to assure compliance with the Health Insurance
Portability and Accountability Act of 1996 and implementing regulations
(HIPAA) to the extent applicable to George Mason University. This policy
is in addition to the requirements of the Family Educational Rights and
Privacy Act (FERPA).
II. POLICY STATEMENT
The University has elected to be a “Hybrid Entity” under HIPAA, and has designated Student Health Services (SHS) and the Account and Loan Management Office as those portions of its operation that perform covered functions and are designated its “Health Care Components” (covered units). Other departments or components that perform health care functions may voluntarily chose to comply with or participate in some or all aspect of HIPAA policy, but such compliance or participation shall not affect the department’s status as a non-covered unit.
III. DEFINITIONS
Individually identifiable health information is information that
is a subset of health information, including demographic information collected
from an individual, and (1) is created or received by a health care provider,
health plan, employer, or health care clearinghouse, and (2) relates to
the past, present, or future physical or mental condition of an individual;
the provision of health care to an individual; or the past, present or
future payment for the provision of health care to an individual; and
(i) that identifies the individual; or (ii) with respect to which there
is a reasonable basis to believe the information can be used to identify
the individual. (45 CFR § 164.501).
Protected health information (PHI) means individually identifiable
health information, but does not include individually identifiable health
information in education records covered by FERPA. (45 CFR § 164.501).
Notice of Privacy Practices (NPP) assures an individual has a right to adequate notice of the uses and disclosures PHI that may be made by the hybrid entity, and of the individual’s rights and the hybrid entity’s duties with respect to PHI. (45 CFR § 164.520).
IV. RESPONSIBILITIES
The Privacy Official is responsible for adoption and implementation of the general policies and procedures for University HIPAA compliance and posting same on the University’s website. The Privacy Official may also designate additional departments within the University as covered units and subject to the requirements of this policy. The Dean of Students is designated as the Privacy Official.
The Contact Person is designated to receive complaints under this policy and providing further information about matters covered by the University’s Notice of Privacy Practices. The Judicial Affairs Coordinator is designated as Contact Person.
The HIPAA Compliance Committee will assist the Privacy Official
in the adoption and implementation of policies and procedures for University
HIPAA compliance. The Compliance Committee is constituted with the Privacy
Official, the Contact Person, and designated representatives of the College
of Health and Human Services, Information Technology Security, Student
Health Services, Research Subjects Protection Office, Office of Sponsored
Programs, Fiscal Services and the Office of University Counsel. Other
members may be added at the discretion of the Privacy Official.
All Covered Units are responsible for complying with this HIPAA
policy and for developing operating procedures and forms as needed to
implement and comply with such policies as are applicable, including appropriate
administrative, technical and physical safeguards to protect the privacy
of protected health information. All covered units are also responsible
for providing the Privacy Official with current copies of their procedures
and any forms or other HIPAA related documents. The University Privacy
Official may require a covered unit to change its procedures, forms or
related documents.
The Information Technology Unit (ITU) is responsible for regularly
monitoring and testing the University network. ITU will coordinate the
University’s compliance with HIPAA’s technical requirements
and verify the security controls of systems authorized to process and
store PHI.
V. RESEARCH
PHI may be utilized in research only upon the written consent and authorization
of the individual.
VI. COMPLAINTS
Complaints concerning HIPAA policies and procedures and/or compliance
with those policies and procedures will be made in writing to the Contact
Person. The Contact Person will investigate all complaints in a timely
manner and provide a written determination to the parties involved (e.g.,
the complainant and the subject covered units) and to the Privacy Official.
The Privacy Official will recommend sanctions, as appropriate, and amend
policies and procedures, as needed.
VII. NO RETALIATION
Neither the University, nor any of its employees, will intimidate,
threaten, coerce, discriminate against, or take other retaliatory action
against:
1. Any individual for exercising of any rights under, or participating in any process established by the HIPAA privacy regulations, including filing a complaint.
2. Any person for:a. Filing a complaint with the U.S. Secretary of Health and Human Services (or any other officer or employee of HHS to whom the authority has been designated) under the HIPAA regulations;
b. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title XI; or
c. Opposing any act or practice made unlawful by the HIPAA privacy regulations, provided the person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of the HIPAA privacy regulations.
VIII. TRAINING
All covered units will train workforce members (faculty, staff,
students and volunteers) on policies and procedures with respect to PHI
as required by HIPAA. Such training will be as necessary and appropriate
for the members of the staff to carry out their functions. The Privacy
Official is responsible for overseeing the adoption of training materials
and the implementation of staff training.
Training shall be provided to all members and each new member shall be trained within a reasonable time after joining the workforce. Additional training will be provided to each member of a covered unit’s workforce whose functions are materially affected by any changes in HIPAA related policies or procedures. Such training will be provided within a reasonable time after the material change becomes effective.
All hybrid entity departments will maintain copies of the training materials
and document that the required training has been provided.
IX. WAIVER OF RIGHTS
Individuals will not be required to waive any of their rights, or the
right to file a complaint under the HIPAA privacy regulations as a condition
of treatment, payment, enrollment in a health plan, or eligibility for
benefits.
X. MITIGATION
The University will mitigate, to the extent practicable, any known harmful
effect of the use or disclosure, by the University or its business associates,
of PHI in violation of its policies and procedures or the HIPAA privacy
regulations.
XI. SANCTIONS
Violation of this policy by a member of the University’s workforce is subject to appropriate personnel or other disciplinary action.
XII. DOCUMENTATION
All policies, procedures, communications, actions, activities and/or
designations that require documentation under HIPAA shall be maintained
in written and/or electronic form and retained for a period not less than
six years from the date of its creation or the date when it was last in
effect, whichever is later.
XIII. AMENDMENT
Amendments to this policy will be made in accord with changes to the HIPAA statutes or applicable regulations.
Proposals for improvement to this policy from any source, to include patients and staff, may be considered as amendments. The Policy Official, after conferring with the HIPAA Compliance Committee, may implement appropriate amendments to this policy.
The University reserves the right to change a privacy practice as stated in the NPP.
XIV. EFFECTIVE DATE AND APPROVAL
This policy is effective January 17, 2007. This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University's fiscal year, unless otherwise noted.
Approved:
_______________________
Maurice W. Scherrens
Senior Vice President
________________________
Peter N. Stearns
Provost
Date approved: January 23, 2007