The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates health care providers (Covered Entities) that electronically maintain or transmit protected health information (PHI) in connection with a covered transaction. HIPAA requires each Covered Entity (CE) to maintain reasonable and appropriate administrative, technical and physical safeguards for privacy and security. Entities or individuals who contract to perform services for a CE with access to protected health information (Business Associates) are also required to comply with the HIPAA privacy and security standards.
The University of North Carolina at Greensboro is subject to the HIPAA regulations because certain units of the University are Covered Entities and Business Associates (BA). UNCG is required to identify its units that meet the CE definition, ensure CE compliance with safeguard and implementation specifications, and enforce CE and BA compliance with the HIPAA regulations. Business associates of the UNCG CEs may be other UNCG units that perform work on behalf of the CE; and UNCG units may also serve as business associates to CEs other than UNCG.
UNCG has chosen a decentralized model, with University-wide coordination, to comply with the Act. The University designates HIPAA Security and Privacy Officers to provide campus-wide leadership for compliance.
This policy reflects the University’s commitment to comply with HIPAA.
This policy applies to all UNCG Covered Entities and Business Associates. The policy’s scope includes the five (5) areas of the HIPAA regulations: Standards for Electronic Transactions and Code Sets, National Provider and Employer Identifiers, Privacy Standards, Security Standards, and Breach Notification Standards.
3.1U.S. Department of Health and Human Services (HHS):
Federal agency responsible for administering compliance with HIPAA
3.2Protected Health Information:
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Covered Entities (CE) are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage.
If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. However, a number of organizations have called for HIPAA compliance for non-covered entities, to ensure they do not compromise patient privacy.
3.6 Covered Transaction:
A transaction is an electronic exchange of information between two parties to carry out financial or administrative activities related to health care. Under HIPAA, the U.S. Department of Health and Human Services adopted certain standard transactions for the electronic exchange of health care data including payment and remittance advice, claims status, eligibility, coordination of benefits, claims and encounter information, enrollment and disenrollment, referrals and authorizations, and premium payments.
UNCG employees, UNCG students, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. This includes full and part time employees, affiliates, associates, students, volunteers, and staff from third party entities who provide service to the covered entity
4.Roles and Responsibilities
4.1UNCG Privacy Officer:
Refers to the individual with overall responsibility for HIPAA privacy compliance for UNCG. Other responsibilities include HIPAA training and the UNCG HIPAA Committee.
4.2UNCG HIPAA Security Officer:
Refers to the individual within UNCG Information Technology Services responsible for UNCG HIPAA electronic security compliance.
4.3HIPAA Compliance Officer:
Refers to the individual within each Covered Entity tasked with overall responsibility for HIPAA privacy and security compliance.
4.4 HIPAA Committee:
The University established a HIPAA Committee for continuous operation that will meet at least quarterly or as necessary. Appointed by the Chancellor (or designee), this Committee addresses specific policy and program issues related to HIPAA compliance on campus and monitors the institution’s response to compliance issues.
The UNCG Privacy and Security Officers serve as committee chairs and Covered Entity Compliance Officers serve as committee members. Non-Covered Entity members are included on an ad hoc basis as appropriate.
The committee will include representatives from campus Covered Entities and non-Covered Entities:
- Covered Entities
- Speech & Hearing Center
- Psychology Clinic
- Student Health Services
- Non-Covered Entitites
- Information Technology Services
- Athletics Department
- University Communications
- Office of Institutional Integrity and General Counsel (in an advisory capacity)
- Office of Research Integrity
- Vacc Clinic
- Office of Enterprise Risk Management
- Monitoring legislative changes in privacy and security regulations
- Assessing and determining campus non-compliance events, such as HIPAA breaches, and managing campus responses as determined by HIPAA regulations
- Implementing standardized policies and procedures with respect to protected health information that comply with HIPAA regulations including, but not limited to, ensuring compliance with and enforcement of PHI security, use and disclosure with other University employees as appropriate as well as external third parties.
- Monitoring implementation of HIPAA policies and procedures
- Maintaining a written (paper or electronic) record of actions, activities or assessments required to be documented by the HIPAA regulations. Such records may include, but are not limited to:
- Committee Minutes
- Committee/task force charters
- Executive memorandums
- Committee charter
- Designing and disseminating a University-wide HIPAA annual training program that informs all staff to whom this policy applies, including management, of all policies and procedures that apply to them in their individual roles. Notwithstanding the foregoing, this training is to include non-Covered Entity staff who encounter PHI as part of their functions as appropriate.
Each Covered Entity must:
- Appoint a HIPAA compliance officer or officers
- Implement policies and procedures with respect to protected health information that comply with HIPAA regulations including, but not limited to, ensuring compliance with and enforcement of PHI security, use and disclosure with other University employees as well as external third parties.
- Maintain policies and procedures it implements in written (paper or electronic) form
- Maintain a written (paper or electronic) record of actions, activities or assessments required to be documented by HIPAA regulations. Such records may include, but are not limited to:
- Corrective Action Plans
- Quality Improvement Evaluations
- Security Audit Results
- Retain such required documentation for six (6) years from the date of its creation or the date when it was last in effect, whichever is later, and in accordance with the UNCG Records Retention and Disposition Schedule.
- Make the required documentation available to all staff responsible for implementing the policies and procedures to which the documentation applies.
- Implement the University HIPAA training program with their staffs.
- Inform patients of the Covered Entity’s HIPAA policies and procedures and patients’ rights and responsibilities and receive and maintain written acknowledgement of receipt of such information.
- Promptly document, process, and report to the HIPAA Committee any complaints of alleged HIPAA violations, mitigate any damages, investigate and address any violations.
- Perform regular, ongoing monitoring, assessment and revision, as necessary, of HIPAA security, policies and procedures and documentation in response to environmental, operational, staff, technical, or legal changes including, but not limited to those aspects of the CE affecting the confidentiality, integrity or availability of its PHI.
6.Compliance and Enforcement
Responsibility for campus-wide implementation of this policy resides with the Chancellor or their designee. The UNCG HIPAA Privacy and Security Officers have overall responsibility for compliance with the HIPAA regulations. HIPAA Compliance Officer(s) in each CE are responsible for individual Covered Entity compliance.
Any violation of this policy by a University student is subject to the Student Code of Conduct in the Student Policy Handbook. For employees, violation of this policy will be subject to consideration as “misconduct” under EHRA policies (faculty and EHRA non-faculty) or “unacceptable personal conduct” under SHRA policies, including any appeal rights stated therein.
If violation of the policy also results in a violation of law, the violation may be referred for criminal or civil prosecution.
The Chancellor has approved this HIPAA Compliance Policy. This policy will be reviewed and updated periodically as appropriate.
9.Contacts for Additioanl Information and Reporting
- Responsible Executive: Vice Chancellor for Student Affairs
- Responsible Administrator: Associate Vice Chancellor and Dean of Students
- Other Contacts:
- UNCG HIPAA Privacy Officer (336.334.3147)
- UNCG HIPAA Security Officer (336.334.4374)
- Additional Terms and Defintions
- HIPAA Privacy Procedures
- HIPAA Security Management Procedures
- HIPAA Breach Notification Procedures
|Revision Date||Revision Summary|
|02/28/2010||Revisions Approved by Chancellor|
|05/31/2010||Revisions Approved by Chancellor|
|11/14/2022||Comprehensive Update reviewed and approved by Chancellor's Council|