HIPAA Regulations
Uses and Disclosures of Protected Health Information

a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the U.S. Department of Health and Human Services to establish rules to protect the privacy of health information. Health information covered by the HIPAA Privacy Rule is known as Protected Health Information (PHI).

b. HIPAA was intended to improve the efficiency and effectiveness of the healthcare system by creating a “standardization” for the exchange of this data for specific administrative and financial transactions, while protecting the security and confidentiality of that information.

HIPAA Privacy Standards; Interchange of Electronic Data for Administrative and Financial Transactions; and Security Standards

a. Privacy Standards – these standards identify how a healthcare
provider will ensure that only minimal necessary information will be shared with healthcare partners that have the right to know. Both healthcare providers will exchange healthcare information for purposes related to their healthcare treatment, payment and operation issues.

b. Interchange of Electronic Data for Administrative and Financial Transactions – these standards address the efficiency and effectiveness of interchanging electronic data for administrative and financial transactions such as insurance claims and payments, insurance eligibility and enrollment and premium payments. This component also sets standards for what codes can be used to indicate the performed procedures, who performed the procedure, and to whom the procedure was performed.

c. Security Standards – The Health Insurance Portability and Accountability Act of 1996 (HIPAA), enacted on August 21, 1996 as Public Law 104-191, authorized the Secretary of Health and Human Services (HHS) to develop security standards to prevent inadvertent or intentional unauthorized use or disclosure of any health information that is electronically maintained or used in an electronic transmission. On February 20, 2003 the final security rule was published.

Definition of Protected Health Information (PHI)

a. Protected Health Information is individually identifiable if it identifies the individual or there is a reasonable basis to believe components of the information could be used to identify the individual. Information is protected whether it is in writing, in an electronic medium, or communicated orally.

b. Health Information means information, whether oral or recorded in any form or medium, that is (i) created or received by a health care provider, health plan, employer, life insurer, public health authority, health care clearinghouse or school or university; and (ii) relates to the past, present, or future physical or mental health or condition of a person, the provision of health care to a person, or the past, present, or future payment for health care.

Privacy Notice and Privacy Manual

a. Privacy Notice – Describes the privacy practices implemented by Wright State University concerning access and disclosures of PHI and requests for inspection or copying of PHI.

b. Privacy Manual – Outlines Wright State University administrative procedures for the purpose of establishing safeguards and to verify identification and authority when accessing PHI.

c. Posting – The above materials are posted at: http://www.wright.edu/cats/security

HIPAA Training

a. All Wright State employees and students who will have access to PHI will receive privacy training as part of their initial training. Employees or students who change positions will receive new privacy training at the time of the change.

b. Employee and student training on the use and disclosure of PHI will address the protection, permissible disclosures, and general treatment of PHI. All training is to be coordinated through the Office of Human Resources.

c. Documentation of privacy training will be maintained for six (6) years from the date of its creation or the date when it was last in effect, whichever is later.

d. HIPAA Security Awareness Training Module

Privacy Officer

a. Privacy Officer - will oversee all ongoing activities related to the development, implementation, maintenance of, and adherence to the University’s organizational policies and procedures covering the privacy of, and access to, all individual protected health information in compliance with federal and state laws and Wright State University’s information privacy practices.

b. Contact – The Office of General Counsel is designated as the Privacy Official: (e-mail address)

Sanctions

Wright State University is committed to taking and will take appropriate
disciplinary measures against any person(s) who violate any policy or procedure of the University, concerning the privacy of individually identifiable health information. The disciplinary measures taken will be consistent with the violation and the circumstances of each case. Discipline for such infractions of University privacy policies and procedures may include reprimand, suspension, or discharge of the responsible person(s), depending on the severity of the misconduct.

Compliance Investigations and Reviews

Federal law authorized the Secretary of the U.S. Department of Health and Human Services or a designee to conduct compliance investigations of and reviews to the University’s compliance with the federal privacy laws and regulations. You are required to cooperate with such an investigation or review and if you receive a telephone call or visit regarding such an investigation or review you must immediately contact the HIPAA Privacy Officer.

For Further Information

If you have concerns or questions regarding this policy, you may contact the Office of General Counsel.