HIPAA Compliance Policy
To describe the requirements pertaining to the handling of Protected Health Information (PHI) on the Lawrence and Edwards campuses.
The University of Kansas, Lawrence and Edwards campuses and the employees, students, volunteers, trainees, agents, business associates, or subcontractors involved in the creation, receipt, transmission, storage, or disposition of Protected Health Information covered by the policy.
The University of Kansas is committed to protecting individuals’ health information in compliance with applicable laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Scope
HIPAA imposes requirements relating to the privacy and security of “Protected Health Information,” or “PHI,” on Covered Entities. This means that Covered Entities must use and disclose PHI only in certain manners as permitted or required by law and provide for reasonable and appropriate privacy and security of PHI in their care as well as accountability for the use and disclosure of such personal health information. Further, under HIPAA, patients have certain rights of access, use and disclosure regarding their own personal health information.
HIPAA specifically excludes from coverage “treatment records” or student “education records” covered by the Family Educational Rights and Privacy Act (FERPA) as defined at 20 U.S.C. 1232g or in 34 CFR Part 99. HIPAA specifically excludes records of an employer in the capacity of employer, such as workers’ compensation records and records retained regarding requests for leave.
Guidelines and Standards
The University has issued operational guidelines (minimum standards) regarding the privacy and security of individuals’ health information for clinics with patient medical or health information (including, but not limited to, the Covered Components) on the Lawrence or Edwards campuses, and those reporting to those campuses. Covered Components and other clinics providing health care must follow these minimum standards as well as adopt written standards for their component or clinic to follow.
The Clinic Policies and Procedures Regarding Privacy and Security of Patient Information are posted in the KU Policy Library.
Questions regarding the application of guidelines may be directed to the HIPAA Privacy Office at 913-588-0940, or the Information Security Office at 785-864-9003.
Officials
The HIPAA designated officials (Officials) for KU include the Privacy Officer and the Information Security Officer. Additionally, each Covered Component and each Supporting Unit is responsible for designating a HIPAA liaison in order to update their respective workforce members on HIPAA related issues or changes.
Hybrid Entity
The University of Kansas is a single legal entity that performs “covered” and “non-covered” functions as defined by HIPAA. The University, through the Officials, designates the areas where covered functions are performed as Covered Components or those support functions as Supporting Units.
Any component, including a research component, that functions as a healthcare provider and conducts the standard electronic transactions, must be designated as a Covered Component.
Covered Components
All units that are designated by the University as Covered Components under HIPAA must comply with the policy, procedures and guidelines prescribed by the University.
The University’s Covered Components are required to implement appropriate procedures and safeguards (administrative, physical and technical) to prevent the unauthorized use and/or disclosure of PHI. Each Covered Component must, at minimum, follow the guidelines set forth in the Clinic Policies and Procedures Guide and document such policy, procedures, and administration specific to their respective component or unit.
Covered Components must notify the University through Privacy and Security Officer of any units performing business functions or services on behalf of the Covered Component, to the extent that the unit may have access to PHI (or otherwise create, use, maintain, store or transmit PHI on their behalf). This shall include Business Associates, vendors or subcontractors.
Supporting Units
Some units of the University may, from time to time, have access to PHI in order to perform business or support services on behalf of the University’s Covered Components. These “Supporting Units” are required to follow the requirements of this Policy. Specifically, Supporting Units must appropriately safeguard the PHI that they access, use, and/or disclose. Each Supporting Unit must require training of workforce members as provided below. PHI access must be limited to the amount minimally necessary to provide the services.
The University shall maintain a listing of all units that are designated as Supporting Units.
Business Associates
In some cases, a Covered Component may require a person or entity that is not a part of the University to perform or assist in the performance of certain functions, activities or services on behalf of the University, that requires use of, or access to, PHI by the external person or entity. Examples include, but are not limited to, medical transcription services, third party billing companies, medical software vendors, billing or collections services, consulting companies, accreditation organizations, and medical record copying services.
Prior to permitting creation, receipt, use, maintenance, transmission of and/or access to the PHI, the Covered Component or Supporting Units must ensure that the external person or entity has entered into a “Business Associate Agreement” in a form or format approved by the University, or otherwise reviewed and approved by the Office of the General Counsel or Office of Research, Contracts. The Covered Component/Supporting Units shall be responsible for compliance with this provision and for maintenance of the appropriate documentation and verification of the business associate, vendor, contractor or subcontractor.
In some cases, a unit of KU may function as a Business Associate of an outside HIPAA Covered Entity or another Business Associate. Such Business Associate relationships must be established contractually in accordance with University contracting procedures, including approval by the appropriate legal oversight unit. Business Associate Agreements for services or functions performed by an individual of a University unit and that is not related to research agreement shall require review and approval by the Office of the General Counsel.
The individual or office responsible for the project’s oversight on behalf of the University, and the PI, shall be responsible for overseeing compliance with the terms of the applicable Business Associate Agreement in accordance with University policies and procedures and HIPAA requirements.
Safeguards
The Covered Components and Supporting Units shall be responsible for ensuring that appropriate safeguards are implemented to protect the confidentiality, integrity and availability of the PHI in the University’s care. Such safeguards shall include administrative, technical and physical safeguards pursuant to the HIPAA Security Rule. Safeguards shall apply regardless of form or format of data, device or storage (e.g., verbal, paper, electronic, server, portable device, etc.). The Officials shall oversee this process.
The University and HIPAA require risk analysis of the Covered Components and Supporting Units. Units shall coordinate with the Officials to ensure this is accomplished, including regular reviews and updates.
Training and Awareness
The Covered Components and Supporting Units are responsible for implementation of training and awareness programs, including unit specific requirements. All workforce members of the Covered Components and Supporting Units with access to PHI, or potential access to PHI, including student trainees, volunteers, residents, and fellows, are required to complete the University’s Privacy and Security Awareness Training within 90 days of hire to such unit, and annually thereafter.
Such workforce members additionally shall be required to sign a confidentiality code or statement in a form approved by the University prior to accessing PHI. The position descriptions of these work force members should reflect this requirement, and be updated as appropriate with the Human Resource Management.
Research
For research-related uses of PHI, all members of each research project shall be required to successfully complete the training modules offered by the Office of Research. The Principal Investigator must ensure compliance with the training requirement for all project team members.
Business Associate Agreements or Subcontracts that are sponsored research or grant projects will require the assistance and review of the Office of Research.
Reporting and Handling Violations
All members of the KU community are obligated to report a known or suspected information security incident by immediately reporting any concerns to IT Customer Service Center at 785-864-8080.
Covered Components and Supporting Units shall require such reporting and appropriately mitigate, to the extent practicable in conjunction with the Officials, any known harmful effects of the use or disclosure of PHI or IIHI in violation of applicable University or unit policies and procedures or the requirements of HIPAA.
Notification of any persons impacted by a breach of PHI shall be reviewed and coordinated by the Officials, in conjunction with the Office of the General Counsel, and shall follow HIPAA requirements.
Questions or Complaints
Questions, concerns or complaints regarding the use and disclosure of PHI on the Lawrence and Edwards campuses may be submitted to the Covered Component liaison, to the Provacy Officer, or to the Secretary of HHS. The University of Kansas Hotline may also be used to anonymously report a complaint or concern to 844-420-9065 or by online report form.
No Retaliation
Intimidation, retaliation and/or discrimination against any individual for exercising an individual's rights under applicable privacy laws, including but not limited to filing a complaint regarding a privacy practice, is strictly prohibited.
Preemption
HIPAA does not preempt state law that is more stringent in requirements or coverage; however HIPAA does control in the event of a conflict between federal and state laws. HIPAA does not preempt the requirements of the institutional review board requirements as it pertains to the protection of human subjects.
Violations of University (or unit) policies and procedures, and/or laws regarding the confidentiality, privacy, and/or security of health information may result in disciplinary action and/or other corrective measures. Investigations and determinations regarding corrective measures will be made in accordance with the University’s existing policies and procedures regarding such matters.
HIPAA Privacy Officer
Director, Privacy Program
Office of Audit, Risk & Compliance
913-588-0940
cgriffith@ku.edu
Anonymous Reporting Hotline
https://hotline.ku.edu
Chief Information Security Officer
Information Technology Security Office
785-864-9003
itsec@ku.edu
The University of Kansas designated several components as Covered Components under HIPAA as early as 2003. The University provided a handbook on policy and procedures in order to be in compliance. This policy updates the requirements and status to notify the entire community of the University efforts in compliance regarding Protected Health Information.
Individually Identifiable Health Information (IIHI): means information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a health care provider; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Protected Health Information (PHI): PHI includes information relating to past, present, or future physical or mental health or condition, health care treatment, or payment for health care. Additionally, PHI includes information that can identify an individual, such as, but not limited to, name, social security number (SSN), address, date of birth, medical history or medical record number.
Security Incident: means the successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
10/25/2024: Updated broken link.
06/04/2024: Updated Contact section.
07/10/2023: Revied to codify current practices and update contact information.
09/05/2018: Updated Contact section.
06/29/2017: Fixed broken links.
07/11/2016: Updated to remove gendered pronouns.
10/20/2015: Minor edits made to correct previous upload error.
10/16/15: Minor edits made to correct previous upload error.
01/12/2015: Policy published to the Policy Library.
01/09/2015: This policy was developed by the HIPAA committee and was reviewed by deans, directors, department chairs and administrators on the Lawrence and Edwards campuses. Prior to final approval by the Provost, the policy was endorsed by the Senior Vice Provost for Academic Affairs and the Vice Provost for Administration and Finance.