Compliance with the Health Insurance Portability and Accountability Act (HIPAA)
University Policy Number 1118
Categorized: General Policies
Responsible Office: Dean of Students
Related Law & Policy:
The policy is promulgated to assure compliance with the Health Insurance Portability and Accountability Act of 1996 and implementing regulations (“HIPAA”) to the extent applicable to George Mason University. This policy is in addition to the requirements of the Family Educational Rights and Privacy Act (“FERPA”) and the Virginia Government Data Collection and Dissemination Practices Act (“Privacy Act”).
II. POLICY STATEMENT
The University has elected to be a “Hybrid Entity” under HIPAA, and has designated Student Health Services (“SHS”) as that portion of its operation that perform covered functions and are designated its “Health Care Component” (covered unit). Other departments or components, to include those that interact with Student Health Services, may voluntarily chose to comply with or participate in some or all aspect of HIPAA policy but such compliance or participation shall not affect the department’s status as a non-covered unit.
Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse, and (2) relates to the past, present, or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. (45 CFR § 164.501).
Protected health information (“PHI”) means individually identifiable health information, but does not include individually identifiable health information in education records covered by FERPA. (45 CFR § 164.501).
Notice of Privacy Practices (“NPP”) assures an individual has a right to adequate notice of the uses and disclosures PHI that may be made by the hybrid entity, and of the individual’s rights and the hybrid entity’s duties with respect to PHI. (45 CFR § 164.520).
The Privacy Official is responsible for adoption and implementation of the general policies and procedures for University HIPAA compliance and posting same on the University’s website. The Privacy Official may also designate additional departments within the University as covered units and subject to the requirements of this policy. The Dean of Students is designated as the Privacy Official.
The Contact Person is designated to receive complaints under this policy and providing further information about matters covered by the University’s Notice of Privacy Practices. The Assistant Dean of Students is designated as Contact Person.
The HIPAA Compliance Committee will assist the Privacy Official in the adoption and implementation of policies and procedures for University HIPAA compliance. The Compliance Committee is constituted with the Privacy Official, the Contact Person, Information Technology Security, Student Health Services and the Office of University Counsel. Other members may be added at the discretion of the Privacy Official.
All Covered Units are responsible for complying with this HIPAA policy and for developing operating procedures and forms as needed to implement and comply with such policies as are applicable, including appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. All covered units are also responsible for providing the Privacy Official with current copies of their procedures and any forms or other HIPAA related documents. The University Privacy Official may require a covered unit to change its procedures, forms or related documents.
Information Technology Services (“ITS”) is responsible for regularly monitoring and testing the University network. ITS will coordinate the University’s compliance with HIPAA’s technical requirements and verify the security controls of systems authorized to process and store PHI.
PHI may be utilized in research only upon the written consent and authorization of the individual.
Complaints concerning HIPAA policies and procedures and/or compliance with those policies and procedures will be made in writing to the Contact Person. The Contact Person will investigate all complaints in a timely manner and provide a written determination to the parties involved (e.g., the complainant and the subject covered units) and to the Privacy Official. The Privacy Official will recommend sanctions, as appropriate, and amend policies and procedures, as needed.
VII. NO RETALIATION
Neither the University, nor any of its employees, will intimidate, threaten, coerce, discriminate against, or take other retaliatory action against:
1. Any individual for exercising of any rights under, or participating in any process established by the HIPAA privacy regulations, including filing a complaint.
2. Any person for:
a. Filing a complaint with the U.S. Secretary of Health and Human Services (or any other officer or employee of HHS to whom the authority has been designated) under the HIPAA regulations;
b. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title XI; or
c. Opposing any act or practice made unlawful by the HIPAA privacy regulations, provided the person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of the HIPAA privacy regulations.
All covered units will train workforce members (faculty, staff, students and volunteers) on policies and procedures with respect to PHI as required by HIPAA. Such training will be as necessary and appropriate for the members of the staff to carry out their functions. The Privacy Official is responsible for overseeing the adoption of training materials and the implementation of staff training.
Training shall be provided to all members and each new member shall be trained within a reasonable time after joining the workforce. Additional training will be provided to each member of a covered unit’s workforce whose functions are materially affected by any changes in HIPAA related policies or procedures. Such training will be provided within a reasonable time after the material change becomes effective.
All hybrid entity departments will maintain copies of the training materials and document that the required training has been provided.
IX. WAIVER OF RIGHTS
Individuals will not be required to waive any of their rights, or the right to file a complaint under the HIPAA privacy regulations as a condition of treatment, payment, enrollment in a health plan, or eligibility for benefits.
The University will mitigate, to the extent practicable, any known harmful effect of the use or disclosure, by the University or its business associates, of PHI in violation of its policies and procedures or the HIPAA privacy regulations.
Violation of this policy by a member of the University’s workforce is subject to appropriate personnel or other disciplinary action.
All policies, procedures, communications, actions, activities and/or designations that require documentation under HIPAA shall be maintained in written and/or electronic form and retained for a period not less than six years from the date of its creation or the date when it was last in effect, whichever is later.
Amendments to this policy will be made in accord with changes to the HIPAA statutes or applicable regulations.
Proposals for improvement to this policy from any source, to include patients and staff, may be considered as amendments. The Policy Official, after conferring with the HIPAA Compliance Committee, may implement appropriate amendments to this policy.
The University reserves the right to change a privacy practice as stated in the NPP.
XIV. EFFECTIVE DATE AND APPROVAL
The policies herein were effective January 17, 2007 and revised May 19, 2011. This policy shall be reviewed and revised, if necessary, annually.
Maurice W. Scherrens
Senior Vice President
Peter N. Stearns
Date approved: January 23, 2007
Revision Approved May 24, 2011
Revised February 16, 2017