15. HIPAA
15.1 Scope of Policy. The University System of New Hampshire will comply with the Health Insurance Portability & Accountability Act (HIPAA). HIPAA applies only to designated units or departments within USNH that are health plans, health care clearinghouses, or health care providers that engage in payment-related electronic transactions. In addition, HIPAA also applies to departments or units that provide administrative functions for the designated units (e.g., General Counsel’s Office, Internal Audit). HIPAA also requires the plan sponsor of a group health plan to abide by specific regulations to ensure that reasonable and appropriate safeguards exist to protect the confidentiality of personally-identifiable health information. The USNH departments or units that are affected by the HIPAA Privacy Rule are referred to as “covered components” for the purposes of this policy.
15.2 Definition – Covered Information. The HIPAA Privacy Rule requires the University System to adopt appropriate administrative, technical and physical safeguards to protect the privacy of Protected Health Information (PHI), which is created or received by the University System’s covered components. PHI includes any health information relating to past, present or future physical or mental health, health care treatment, or payment for health care. PHI includes information that can identify an individual, such as name, social security number, address, date of birth, medical history or medical record number and includes such information transmitted or maintained in any format, including paper and electronic records. HIPAA contains special provisions for records related to workers’ compensation, psychotherapy, and employee health information.
15.3 Authority. Each institution of the University System shall adopt policies or procedures to insure compliance with this policy. Such policies or procedures shall include the obligation to:
15.3.1 Notify employees (or patients in the case of covered components with patients as customers) about their rights to privacy under HIPAA.
15.3.2 Establish procedures for covered components that insure PHI is protected
15.3.3 Train employees who handle PHI on appropriate security procedures and knowledge of HIPAA
15.3.4 Adopt procedures, including disciplinary actions to address violations of USNH policy or HIPAA
15.3.5 Secure employee and patient records containing individually identifiable health information so that they are not readily accessible to those who do not need to see them
15.3.6 Make reasonable efforts to limit the use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purposes
15.3.7 Adopt special procedures for the use of PHI for research. Reference the UNH Institutional Review Board (IRB) web site at http://www.unh.edu/osr/index.html for further information
15.3.8 Execute business associate agreements and other required documents to permit covered components to share PHI with outside entities that have been contracted to provide products and services requiring access to PHI
15.4 Notification. Each component institution shall notify the USNH General Counsel’s Office of the officer responsible for HIPAA compliance at its institution .