13.16 Use and Security of Protected Health Information

Purpose

To ensure that the University of Northern Iowa’s collection, maintenance, and distribution of Protected Health Information (PHI) is compliant with all state and federal laws and regulations, including, but not limited to, the Health Information Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

Policy Statement

The University of Northern Iowa (UNI) is committed to ensuring the privacy and proper handling of Protected Health Information that it collects and maintains from students, faculty, staff, and other individuals associated with the University. Faculty, staff, students, or anyone else accessing Protected Health Information must protect the data from a loss of availability, confidentiality, or integrity. Electronic systems storing Protected Health Information must be secured sufficiently to protect the availability, confidentiality, and integrity of the Protected Health Information.

Individuals who knowingly violate this policy and/or in any way compromise the availability, confidentiality, and integrity of PHI may be subject to appropriate disciplinary action or sanctions. Sanctions may be enforced by an outside entity, such as the US Department of Health and Human Services Office for Civil Rights. Egregious violations of HIPAA can result in criminal and civil penalties for individuals.

Covered Units

The University of Northern Iowa is a hybrid entity as defined in HIPAA privacy regulations. UNI's primary purpose is education; however, UNI does have departments and activities that provide healthcare services and plans that constitute “covered units.” UNI also has offices and departments that provide business support to covered units. These business support offices and departments have or may have access to protected medical and health information. UNI has identified and designated its covered units as follows:

          Designated Health Care Provider components are:
                    Student Health Clinic
                    Student Health Clinic Pharmacy
                    Athletic Training     

          Health Plan components are: 
                    Self-insured UNI Health plans
                    Self-insured UNI Dental plans
                    Medical reimbursement flexible spending account program
                    Student Health Insurance Plan (SHIP)

Support units/personnel that are part of the UNI hybrid entity receive PHI from covered units; these support units/personnel are: 
          Student Disability Services
          Counseling Center       
          Human Resource Services
          Risk Manager
          Information Technology Services
          Divisional, Collegiate, or Departmental Information Technology Staff          
          Internal Audit
          University Counsel

Noncovered Units or entities 

Other entities that are associated with University of Northern Iowa in some fashion may handle protected health information, but are not considered covered units as defined in this policy.  Such units are not subject to the provisions of this policy but are required to maintain their own policies. Examples of such units are e.g., Cedar Valley Medical Specialists, Wheaton Franciscan Healthcare, and/or Unity Point Health. 

Responsibility of covered units

Individuals responsible for the units designated as “covered units” in this policy are responsible for assuring their unit’s compliance with the policy. The Executive Vice President for Academic Affairs and Provost, Vice President for Administration and Financial Services, and Vice President for Student Affairs are responsible for the enforcement of this policy and associated procedures within their respective divisions.

Units covered by this policy must:

  1. Ensure that PHI will only be electronically transmitted on the “open” University network via encrypted mechanisms approved by UNI’s Health Information Security Officer. 
  2. Ensure that all documents (paper and electronic) and any storage media containing PHI shall be disposed of in a timely and secure fashion consistent with applicable retention requirements.  Secure disposal standards will be subject to approval by UNI’s Health Information Security Officer. 
  3. Restrict release of PHI to entities outside the University as allowed by law or when the patient/client or legal representative grants such permission. Examples may include the submission of insurance claims or transferring records to another health care provider. University contracts with outside entities shall include, if relevant, language identifying the responsibility and restrictions on use of PHI by the third party. 
  4. Consult with the Health Information Privacy Officer when an opinion on the appropriateness of a potential release of PHI is required.
  5. Consult with the Health Information Security Officer to authorize the use of PHI in new systems. 
  6. Demonstrate, as requested, their compliance with all state and federal laws and regulations on PHI to the HIPAA Compliance Committee, the Health Information Privacy Officer, and/or the Health Information Security Officer. It shall not be the responsibility of the HIPAA Compliance Committee, the Health Information Privacy Officer, and/or the Health Information Security Officer to prove non-compliance.

Use of Terms

  1. Availability - A loss of availability is the disruption of access to or use of information or an information system.
  2. Confidentiality - A loss of confidentiality is the unauthorized disclosure, access or use of information.
  3.  Integrity - A loss of integrity is the unauthorized modification or destruction of information
  4. Protected Health Information (PHI) – PHI is defined in 45 CFR (Code of Federal Regulations) 160.103.  Generally, PHI is any individually identifiable health information held or maintained by a covered entity or its business associate acting for the covered entity; it includes health information with data items which reasonably could be expected to allow individual identification. Sometimes this information is known as private health information or personal health information.  PHI does not include education records covered by the Family Educational Rights and Privacy Act, records described in 20 USC (United States Code) 1232g(a)(4)(B)(iv) (generally, student-related records of medical professionals), and employment records held by a covered entity; these types of records are covered by other rules and laws relating to privacy or confidentiality. 
  5. Risk - Risk is the likelihood that an incident or circumstance occurs or exists that causes harm to an informational asset. Typically, a medium or high risk is a risk that either has a strong likelihood of occurring and/or has a large potential impact according to a standard risk assessment.

HIPAA Compliance Committee

The HIPAA Compliance Committee will assist the Health Information Privacy Officer in the adoption and implementation of policies and procedures for University HIPAA compliance.  The Compliance Committee is constituted with the Health Information Privacy Officer, Health Information Security Officer, the Student Health Clinic Security Information Officer, and the Office of University Counsel.  Other members may be added at the discretion of the Health Information Privacy Officer and/or Health Information Security Officer.

The HIPAA Compliance Committee shall:

  1. Provide advice and support to the Health Information Privacy Officer and Health Information Security Officer.
  2. Assist in developing, monitoring, implementing, and revising policies and procedures necessary to protect the availability, confidentiality, and integrity of the PHI of UNI employees and students. 
  3. Develop the specific details of policies and procedures to assure compliance with health information privacy laws and regulations.
  4. Identify activities or business practices deemed a medium or high risk to the availability, confidentiality, and integrity of PHI and request of the appropriate division head that said activities or practices be ceased or appropriately modified.

Health Information Privacy Officer

The director of the Student Health Clinic shall serve as the Health Information Privacy Officer. The Health Information Privacy Officer shall provide leadership to the overall management of UNI's PHI compliance and shall chair the HIPAA Compliance Committee. University Counsel shall provide legal advice, as needed, to the Health Information Privacy Officer.

The Health Information Privacy Officer shall have the responsibility and authority to:

  1. Convene the HIPAA Compliance Committee as determined necessary.
  2. Develop and maintain policies and procedures that protect the availability, confidentiality, and integrity of PHI of employees, students, and other individuals as determined by the Health Information Privacy Compliance Committee. 
  3. Oversee the implementation and adherence to PHI policies and procedures.
  4. Receive and investigate complaints concerning the use and disclosure of PHI.
  5. Develop and implement an organization-wide training program on PHI.
  6. Review, update and improve policies and practices as they relate to protecting the availability, confidentiality, and integrity of the PHI of UNI employees, students, and other individuals as necessary.
  7. Identify activities or business practices deemed a medium or high risk to the availability, confidentiality, and integrity of PHI and request of the appropriate division head that said activities or practices be immediately ceased or appropriately modified, until such activities or business practices are reviewed by the entire HIPAA Compliance Committee.

Health Information Security Officer

The Chief Information Officer (CIO) shall designate a member of his/her staff to serve as the Health Information Security Officer.  The Health Information Security Officer shall be responsible for the security of PHI transmitted or stored in university technology systems. University Counsel shall provide legal advice, as needed, to the Health Information Security Officer.

The Health Information Security Officer shall have the responsibility and authority to:

  1. Develop and maintain policies, procedures, and educational programs to protect the availability, confidentiality, and integrity of Protected Health Information of UNI employees, students, and other individuals.
  2. Perform ongoing information risk assessments and audits to ensure that information systems and PHI are adequately secured and meet HIPAA requirements.  
  3. Lead an incident response team to contain and investigate computer security breaches, and prevent future security breaches.
  4. Identify activities or business practices deemed a medium or high risk to the availability, confidentiality, and integrity of PHI and request of the appropriate division head that said activities or practices be immediately ceased or appropriately modified, until such activities or business practices are reviewed by the entire HIPAA Compliance Committee.

The UNI Institutional Review Board oversees the collection and management of private information about individuals for research purposes.  For information about the requirements governing research involving human subjects, see http://www.uni.edu/osp/protection-human-research-participants.

Student Health Clinic, approved October 16, 2014 
President’s Cabinet, approved December 8, 2014 
President and Executive Management Team, approved January 12, 2015