Protected Health Information Policy

April 11, 2003
June 5, 2003
July 11, 2003
July 21, 2003
December 1, 2004
April 20, 2005
September 28, 2005
October 3, 2007

Purpose:

The purpose of this statement is to set forth University policy with regard to addressing and meeting institutional requirements and obligations imposed by the Health Insurance Portability and Accountability Act of 1996 in regard to the privacy of health information.

Preamble:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes specific standards and obligations regarding the privacy of certain protected health information (PHI). Pittsburg State University recognizes its obligations to safeguard PHI. The intent of this policy is to implement HIPAA requirements for the protection of the privacy of PHI.

Policy Statement:

Pittsburg State University will make all reasonable efforts to achieve and maintain compliance with HIPAA standards and obligations regarding the privacy of PHI.

Since the primary function of Pittsburg State University as a state educational institution of Kansas is not to provide health care, the University hereby recognizes itself as a "hybrid entity". Pittsburg State University is voluntarily complying with PHI standards.

The University Privacy Officer in accord with the University President, will designate those units which function as health care providers covered by HIPAA.

This policy applies to all covered units and to all members of the university faculty, staff, volunteers, trainees, agents and students who work with or train in university units that maintain PHI.

Pittsburg State University will conduct appropriate training for affected members of its workforce on policies and procedures as they relate to PHI. All members with immediate PHI access shall receive training and others will be trained as need dictates. Affected new members will receive training in a reasonable time after joining the workforce. Periodic refresher training will occur for all members with access to PHI and when there has been substantial material change in policy or procedure. Training will be documented at the unit level and forwarded to the University Privacy Officer by the supervisor of the affected area upon completion of the training.

To the extent required, PSU will obtain a consent prior to, or at the time of, creating a relationship with a patient/client allowing PSU to use and disclose PHI for treatment, payment, and health care operations as required by law.

All covered University Units shall provide to each patient/client not later than the date of the first service delivery, including service transmitted electronically, a Notice of Privacy Practices (NPP). A copy of the NPP shall be posted by each Covered University Unit and copies shall be made available to patients/clients upon request.

PSU will put in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. The safeguards include, but are not limited to, the following:

Administrative Safeguards

  1. Confidentiality agreements 
  2. Training and development 
  3. Policies and procedures with ongoing evaluation processes
  4. Notification of University Privacy Officer of substantive changes at the unit level that could potentially impact official policies, procedures or operations as they relate to HIPAA and privacy.
  5. Reasonable steps to verify the identity and authorization of individual(s) and entities requesting PHI under HIPAA.

Technical Safeguards

  1. Privacy statements encrypted on fax and email messages containing PHI.
  2. Limit access to need to know.
  3. Team approach to policy, implementation and evaluation of privacy of PHI.

Physical Safeguards

  1. Locked PHI files when unattended.
  2. Shredding of discarded PHI documents. Obliteration of PHI contained on electronic devices.
  3. Computer monitors, printers, fax machines placed to limit visibility from those without a direct need to know.
  4. Appropriate safeguards when discussing PHI, i.e. lowered voice, attention to setting, etc.

Such safeguards are intended to reasonably safeguard PHI from intentional or unintentional use or disclosure. Unit supervisors are responsible for implementation of safeguards in their area.

Patients/Clients of Covered Units shall have the following specific rights: a right to an accounting of disclosures; a right to request amendment of PHI; a right of access to PHI; a right to request additional privacy protection; a right to complain about privacy and security policies and procedures; a right to be free of intimidating or retaliatory acts for exercising HIPAA rights; and the University will not require an individual to waive rights under this policy or HIPAA as a condition of treatment.

To the extent such documents are not required to be kept longer than applicable federal or state law, documents relating to implementation and compliance with HIPAA and privacy policies and procedures shall be maintained for a minimum of six years.

If any University employee or contractor becomes aware of an actual or alleged breach of this policy or any related departmental policies, or any other actual or alleged breach of required privacy or security of PHI, the employee or contractor is required to report in writing the actual or alleged breach to the Privacy Officer. Pittsburg State University will mitigate, to the extent practicable, any known harmful effect of a use or disclosure of PHI in violation of this policy or other applicable requirements of HIPAA.

Faculty and staff members found to have violated this policy will be subject to disciplinary action up to and including dismissal, under applicable disciplinary policies. Any official sanctions applied shall be documented and held with the University Privacy Officer. A copy may be placed in the employee's official employment record. Students will be subject to disciplinary action under applicable student policies and procedures.

Pittsburg State University and its employees or students who violate HIPAA may be subject to both civil and criminal penalties under HIPAA regulations. Civil monetary penalties are $100 per incident, up to $25,000 per person, per year. Federal criminal penalties range from $50,000 to $250,000 in fines and up to 10 years imprisonment.

PSU has established a process through which an individual may make complaints to PSU regarding its PHI policies and procedures. Notice of this complaint process and information on initiating the complaint process is provided with the NPP made available to all patients/clients, or by contacting the University Privacy Officer.

Upon receipt of a written complaint, the University Privacy Officer shall investigate the complaint and may form an ad hoc committee consisting of appropriate members of the PSU community. After investigating the complaint, and considering its merits, the University Privacy Officer shall make a recommendation in resolution of the issue.

The University Privacy Officer shall maintain copies of complaints and of resolution of complaints for a period of at least 6 years. Any individual may make a complaint to the Secretary of the U.S. Department of Health and Human Services.

Privacy Officer:

Jamie Brooksher is the designated Privacy Officer for Pittsburg State University. To obtain information about HIPAA or to initiate filing a complaint, please contact her in the General Counsel's Office, 207 Russ Hall, Pittsburg State University, 1701 S. Broadway, Pittsburg, Kansas 66762 or at 620-235-4136 or at jbrooksher@pittstate.edu. The Privacy Officer oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to, patient health information in compliance with federal and state laws and the healthcare organization's information privacy practices. The Privacy Officer can delegate certain aspects or duties of compliance to individual unit supervisors for handling requests for inspection, copy, amendment, accounting of disclosures, restrictions, and confidential communications. Official records are maintained with the University Privacy Officer.

IT Security Officer:

Amanda Williams, Security Officer in Information Services, is the designated IT security officer for Pittsburg State University.  Her office is located in 157 Kelce Center, Pittsburg State University, 1701 S. Broadway, Pittsburg, Kansas 66762.  Her business contact number is 620-235-4657 and email address is akwilliams@pittstate.edu.