Compliance with the Health Insurance Portability and Accountability Act (HIPAA)
University Policy Number 1118
Categorized: General Policies
Responsible Office: Dean of Students
Related Law & Policy:
- HIPAA Regulations
- FERPA Regulations
- Joint Guidance on the Application of FERPA and HIPAA to Student Health Records
- Policy 1102: Records Management
- Policy 1114: Data Stewardship
The policy is promulgated to assure compliance with the Health Insurance Portability and Accountability Act of 1996 and implementing regulations (“HIPAA”) to the extent applicable to George Mason University. This policy is in addition to the requirements of the Family Educational Rights and Privacy Act (“FERPA”) and the Virginia Government Data Collection and Dissemination Practices Act (“Privacy Act”).
II. POLICY STATEMENT
The University has elected to be a “Hybrid Entity” under HIPAA, and has designated Student Health Services (“SHS”), the College of Health and Human Services MAP Clinics (“MAP Clinics”) and Population Health Center, the Center for Psychological Services, Occupational Health and Well-Being, and the Frank Pettrone Center for Sports Performance as those portions of its operation that perform covered functions and are designated as its “Health Care Components” for HIPAA purposes. The Health Care Components shall comply with HIPAA and the associated federal regulations to the extent required by law and the federal Joint Guidance on the Application of FERPA and HIPAA to Student Health Records. The Health Care Components shall maintain all health records of students as required by FERPA and all health records of non-students as required by the HIPAA.
All other components and department of the University are not Health Care Components and, therefore, are not required to comply with HIPAA. Regardless of the applicability of HIPAA, all University departments and components shall comply with all applicable University policies when collecting, storing, or transmitting health information.
Each Health Care Component shall designate a Privacy Official who shall be responsible for that unit’s compliance with this policy.
A. Effective Date:
This policy will become effective upon the date of approval by the Senior Vice President and Provost
B. Date of Most Recent Review
V. TIMETABLE FOR REVIEW
This policy, and any related procedures, shall be reviewed every three years or earlier if required due to a change in related law or guidance.
Senior Vice President
Date approved: January 23, 2007
Revision Approved May 24, 2011
Revised February 16, 2017
Revised May 22, 2022