Purpose
Lynn University complies with all laws that govern employee and students’ medical records, their review and their dissemination. The University will not require individuals to waive their health privacy rights as a condition for treatment, payment, enrollment in the health plan, and/ or eligibility for benefits. Lynn University will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against an individual for exercising health privacy rights. For more detailed information, please refer to the United States Department of Health and Human Services.
Policy
It is the policy of Lynn University that the security of health-care-related information and the privacy of individuals be protected to the maximum extent possible, in accordance with The Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA” or “the Act”) and other applicable statutes, and with the overall responsibility of the University to support the privacy rights and concerns of its members.
The University has established appropriate safeguards to ensure that covered components do not inappropriately disclose Protected Health Information (PHI) and that employees use and disclose PHI only as permitted or required by state and federal law.
The University provides individuals with a Notice of HIPAA Rights, which summarizes the University’s legal duties and privacy practices regarding health information about the individual.
Individuals have the right to request access to inspect or copy their protected health information that is maintained in a designated record set. The University will address an individual’s request to inspect or copy his or her protected health information in a timely and professional manner. Individuals do not have the right to access certain types of information and in those situations, the University may deny an individual’s request to access. In certain circumstances, an individual may have the right to have a denial reviewed.
The Chief Strategy and Technology Officer, who has been designated to serve as the University’s Privacy Official, covering only HIPAA related compliance requirements and inquiries, is designated to receive complaints under this policy. The University will respond to questions and complaints regarding privacy and security of PHI at the University and will resolve the complaints as appropriate. In addition, individuals may file a complaint with the appropriate Office of Civil Rights (OCR) Regional office.
The University will not sanction and will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against persons who file complaints with the University or the U.S. Department of Health and Human Services, persons who testify, assist or participate in an investigation, compliance review, proceeding or hearing, or a person opposing any act or practice that is unlawful provided that the person had a good faith belief that the practice complained about is unlawful, the manner of opposition is reasonable and does not involve an unlawful disclosure of PHI. Any individual who feels that he or she has been retaliated against as a result of such participation should refer to University’s Whistleblower Policy for additional guidance.
Definitions
Covered Components- means those departments of the University that must comply with HIPAA regulations. The designated covered components of the University are listed in the procedures section of the Policy.
Individually Identifiable Health Information—means information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care of an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 C.F.R. 160.103.
Protected Health Information (PHI) —means individually identifiable information transmitted or maintained in electronic media (ePHI), or transmitted or maintained in any form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer. See 45 C.F.R. 164.501, 160.103.
Procedures/Guidelines
I Scope
Lynn University is a hybrid entity as defined in 45 C.F.R. §164.103 and includes both covered and non-covered components. The University’s HIPAA policy and procedures apply only to the University’s designated covered components, which include: Employee Services
The above designated covered components may not share PHI or ePHI with the non-covered components of the University, unless specifically permitted by HIPAA regulations. It is the responsibility of each designated covered component to assure that their employees, student employees, volunteers, etc. comply with this Policy and procedures and other University privacy related policies and procedures.
II Authorization to Use or Disclose Protected Health Information
The University will obtain an individual’s authorization to use or disclose PHI in accordance with HIPAA and its regulations. Generally, the University’s designated covered components do not need to obtain an individual’s authorization when using and disclosing protected health information for routine purposes (e.g. treatment, payment, or health care operations), or for other limited purposes, as described in the Notice of Privacy Rights. Otherwise, the University’s designated covered components must obtain an individual’s valid written authorization for the use or disclosure of PHI.
III. Training
All covered components whose employees have direct or indirect access to PHI will train employees with respect to PHI as required by HIPAA. Such training will be as necessary and appropriate for the members of the staff to carry out their functions. The University Privacy Officer, with the assistance of the University Compliance Officer, is responsible for overseeing training guidance and assistance.
All Covered Components will maintain copies of the training materials and document that the required training has been provided. All training documents, including attendance rosters, will be forwarded to Employee Services. The documentation will be retained in accordance with the University’s Record Retention Schedule.
IV. Business Associates
From time to time, Covered Components may share PHI with external parties, known as business associates. PHI generally may only be shared with business associates pursuant to a valid Business Associate Agreement. A Business Associate Agreement can be in the form of a written amendment to an existing agreement.
V. Filing a Complaint
If an individual believes his or her privacy rights have been violated, he or she may file a complaint with the appropriate OCR Regional Office, or with the Chief Strategy and Technology Officer. Designated Covered Components must instruct individuals who wish to file a complaint to contact the Chief Strategy and Technology Officer.
Individuals must file complaints in writing, either paper or electronically, 180 days from when the individual knew or should have known of the circumstance that led to the complaint, unless this time limit is waived for “good cause” shown.
A complaint must name the entity that is the subject of the complaint and describe the acts or omission believed to be in violation of the HIPAA requirements.
Individuals will not be penalized for filing a complaint.
VI. Investigation, Sanctions
The Chief Strategy and Technology Officer or a designee will investigate alleged complaints to determine if a breach of privacy has occurred.
If the Chief Strategy and Technology Officer or a designee determines that a violation occurred, he or she will apply appropriate sanctions against the person or entity who failed to comply with the privacy policies and procedures and instruct the person or entity to take the corrective actions, if necessary. The Chief Strategy and Technology Officer will document any sanctions imposed.
VII. Minimum Necessary Use and Disclosure of Protected Health Information
When using or disclosing PHI or when requesting PHI from another entity covered by the HIPAA privacy regulations, the University will make a reasonable effort to limit itself to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request. The University is not required to apply the minimum necessary standard under the following circumstances:
- For Treatment. Disclosure to or requests by a health care provider for purposes of diagnosing or treating an individual;
- To the Individual. Uses or disclosures made to the individual;
- Pursuant to Patient’s Authorization. Uses or disclosures pursuant to a valid authorization;
- To the HHS. Disclosures to the Office for Civil Rights of the U.S. Department of Health and Human Services for HIPAA compliance purposes; and
- Required by Law. Uses or disclosures that are required by law (i.e., a mandate that is contained in law that compels the University to use or disclose protected health information and that is enforceable in a court of law, e.g., court orders, court-ordered subpoenas, civil or authorized investigative demands).
To learn more about this policy or the supporting procedures, please contact Employee Services.