VI-24.00(A) UNIVERSITY OF MARYLAND POLICY ON COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
(Approved by the President, March 20, 2003)
I. GENERAL
The policy of the University of Maryland, College Park, is to comply with the Health Insurance Portability and Accountability Act of 19961 and its implementing regulations2 (collectively "HIPAA") to the extent that HIPAA is applicable to the University.
II. STATUS AS HYBRID ENTITY
The University's activities include both HIPAA covered and non-covered functions. Accordingly, the University has determined that it is a hybrid entity for HIPAA coverage purposes.
III. DESIGNATIONS
The University has designated its Health Care Component, as set forth in Attachment A to this policy. A unit is included in the designation only to the extent it performs HIPAA covered functions or engages in activities that would make it a business associate of a unit that performs covered functions if the two were separate legal entities ("covered unit"). Other units that perform health care functions may voluntarily choose to comply with or participate in some or all HIPAA requirements, policies or procedures. Such voluntary compliance or participation shall not affect a unit's status as a non-covered component.
The University has designated a Privacy Officer for HIPAA compliance purposes. The HIPAA Privacy Officer designation and contact information are posted on the University's HIPAA Website http://hipaa.umd.edu The designation of the Privacy Officer is subject to change by the President.
The Privacy Officer is responsible for the development and implementation of policies and procedures as required by HIPAA. The Privacy Officer may amend the University's designation of covered unit(s) from time to time, as appropriate. The Privacy Officer is also designated to receive complaints concerning the University's HIPAA related policies and procedures and HIPAA compliance and to provide further information about matters covered by the University's Notice(s) of Privacy Practices.
Each covered unit shall designate a Privacy Coordinator to interact with the Privacy Officer and coordinate HIPAA compliance within the unit. Documentation of each Privacy Coordinator designation shall be provided to and maintained by the Privacy Officer.
IV. IMPLEMENTING POLICIES AND PROCEDURES
The University's Privacy Officer is responsible for adopting and implementing general operating policies governing HIPAA compliance by the Health Care Component. Such policies shall be distributed to all covered units and posted on the University's HIPAA Website.
Each covered unit is responsible for complying with the HIPAA operating policies, as applicable, and for developing procedures and forms as needed to implement and comply with such policies and HIPAA, including appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. Each covered unit is also responsible for providing the University's Privacy Officer with current copies of its procedures and any forms or other HIPAA related documents. The Privacy Officer may require a covered unit to change its procedures, forms or related documents.
V. HIPAA ADVISORY COMMITTEE
The University has established a HIPAA Advisory Committee to assist the Privacy Officers and oversee the University's HIPAA compliance. The Privacy Officer shall chair the committee. One member of the committee shall be designated by each of the following offices: Senior Vice President for Academic Affairs and Provost, Vice President and Chief Information Officer, Vice President for Research and Dean of the Graduate School, and Vice President for Student Affairs. The University's Information Technology Security Officer will also serve on the committee. Additional members may be appointed by the Privacy Officer. The Office of Legal Affairs will provide advice to the committee.
VI. COMPLAINTS
Complaints concerning the University's HIPAA policies and procedures and/or compliance with those policies and procedures or HIPAA shall be made in writing to the Privacy Officer. The Privacy Officer shall investigate all complaints in a timely manner and provide a written determination to the parties involved (e.g., the complainant and the covered unit(s)). The Privacy Officer shall document all complaints received and their disposition.
VII. NO RETALIATION
Neither the University, nor any of its employees, will intimidate, threaten, coerce, discriminate against, or take other retaliatory action against:
1. Any individual for exercising of any rights under, or participating in any process established by, the HIPAA privacy regulations, including filing a complaint; or
2. Any person for:
A. filing a complaint with the U.S. Secretary of Health and Human Services (or any other officer or employee of HHS to whom the authority has been designated) under the HIPAA regulations;
B. testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Part C of title XI; or
C. opposing any act or practice made unlawful by the HIPAA privacy regulations, provided the person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of the HIPAA privacy regulations.
VIII. TRAINING
The University will train members of its workforce (faculty, staff, students and volunteers) in each covered unit on policies and procedures with respect to protected health information as required by HIPAA. Such training will be as necessary and appropriate for the members of the workforce to carry out their function within the covered unit. The Privacy Officer, in conjunction with the units' Privacy Coordinators, is responsible for developing training materials and implementing and overseeing workforce training.
Training shall be provided not later than April 13, 2003. Thereafter, each new member of a covered unit's workforce shall be trained within a reasonable time after joining the workforce. Additional training will be provided to each member of a covered unit's workforce whose functions are materially affected by a change in HIPAA related policies or procedures. Such training will be provided within a reasonable time after the material change becomes effective.
The Privacy Officer, and the Privacy Coordinators for the designated components, shall maintain copies of the training materials and document that the required training has been provided.
IX. WAIVER OF RIGHTS
Individuals will not be required to waive their rights to file a complaint under the HIPAA privacy regulations as a condition of treatment, payment, enrollment in a health plan, or eligibility for benefits.
X. MITIGATION
The University will mitigate, to the extent practicable, any harmful effect that is known to it of a use or disclosure, by the University or its business associates, of protected health information in violation of its policies and procedures or the HIPAA privacy regulations.
XI. SANCTIONS
Violation of this policy by a member of the University's workforce is subject to appropriate personnel or other disciplinary action.
XII. DOCUMENTATION
All policies, procedures, communications, actions, activities and/or designations that require documentation under HIPAA shall be maintained in written and/or electronic form and retained for a period not less than six years from the date of its creation or the date when it was last in effect, whichever is later.
The University's Privacy Officer will determine whether documentation required by HIPAA and/or this policy should be kept centrally by the Privacy Officer, or whether any covered unit will be responsible for keeping its own documentation as required by HIPAA. The Privacy Officer has the authority to require any covered unit to send all documentation to him/her.
XIII. AMENDMENT
The University may change this policy and any other of the policies and procedures described herein as necessary and appropriate, in accordance with standard University procedures and any applicable HIPAA requirements.
ENDNOTES:
- 42 U.S.C. 1320d, et seq.
- 45 CFR Parts 160, 162, 164
- The name and contract information for the Privacy Officer may also be obtained from the Office of the Senior Vice President for Academic Affairs and Provost at 301-405-5252 or via email at HIPAA-Privacy@umd.edu.
ATTACHMENT A
DESIGNATED HEALTH CARE COMPONENT
|
Health Care Provider Unit(s) |
When Added |
|
University Health Center |
April 14, 2003 |
| |
| |
Business Associate Type Units
(To the extent they perform covered activities) |
When Added |
Bursar's Office
Including individuals not within the office who
have access to billing records |
April 14, 2003 |
| |
|
Office of Information Technology, Subunits |
|
User Support Services |
April 14, 2003 |
|
Network Operations |
April 14, 2003 |
|
LAN Services |
April 14, 2003 |
|
Applications Development |
April 14, 2003 |
| |
|
Office of Legal Affairs |
April 14, 2003 |
| |
|
Provost's Office, Designated Individuals |
April 14, 2003 |
|
