UH HIPAA Policy

J.T.AshUniversityofHawaiiSystemHIPAAComplianceOfficer

jtash@hawaii.eduhipaa@hawaii.edu

AgendaØHIPAAisa“TEAMSPORT”andeveryonehasaroleinprotectingprotectedhealthinformation(PHI).

ØPurposeoftheUHHIPAAPolicy

ØObjectivesoftheUHHIPAAPolicy

ØGeneralRequirementsandpractices

ØRolesandresponsibilities

ØPoliciesandprocedures

UH HIPAA Policy PurposeØEnsurethattheUniversityofHawai‘i(the“University”)complieswiththeHealthInsurancePortabilityandAccountabilityActof1996,asamendedbytheAmericanRecoveryandReinvestmentActof2009(“ARRA”),whichincludedtheHealthInformationTechnologyforEconomicandClinicalHealthAct(“HITECH”)thatexpandedthescopeofprivacyandsecurityprotections,andbytheimplementingregulationsat45CodeofFederalRegulations(“CFR”)Parts160,162and164,asamended(collectivelyreferredtoas“HIPAA”).

UH HIPAA Policy ObjectivesØEstablishUniversitySystem-widepoliciesandproceduresto:

Ø DesignatetheUniversityasaHybridEntityØ EstablishfundamentalprinciplesgoverningtheUniversity’smanagementanduseof

ProtectedHealthInformation(“PHI”)Ø Establishasetofstandardizedtermsanddefinitionstopromoteconsistentinterpretation

andimplementationoftheUniversity’sHIPAAPolicy.Ø EstablishclearlinesofauthorityandaccountabilityrelatedtoPHI.Ø SetforthbestpracticesforHIPAAcompliancewiththeongoingobjectivesof:

Ø IdentifyingUniversityunitsandsubunits(andtheiractivities)thataresubjecttoHIPAAØ ManagingandmitigatinginformationprivacyandsecurityrisksrelatedtoPHI.

General requirements and practices

ØDONOTsharePHIwiththenon-coveredUnitsoftheUniversity(SeeBelow)

ØComplywithHIPAAandthisHIPAAPolicy

ØPerformariskassessment

ØDesignateaUnitHIPAACoordinator

ØCompleteHIPAAtraining

➢MaintainaBAAwithanotherinternalUniversityUnitoranentityoutsidetheUniversitytosharePHIoraLimitedDataSet.

➢MaintainaDataUseAgreementandBAAthatreceivestheLimitedDataSet,andsuchusehasbeenapprovedbytheUniversity’sInstitutionalReviewBoard(“IRB”).

➢PostsaNoticeofPrivacyPracticesasrequiredbyHIPAA

Roles and responsibilities – Office of the Vice President for Information Technology

and Chief Information Officer (OVPIT)ØDesignatestafftoserveastheUniversitySystemHIPAAPrivacyandSecurityOfficer(s)

Roles and responsibilities – UH System HIPAA Privacy and Security Officer

ØRelatingtotheHIPAAPrivacyRule:

ØMaintainongoingcommunicationwithallUnitHIPAACoordinators;

ØCoordinatetrainingprogramsforthedesignatedUHCoveredComponents(employees,studentsandvolunteers)incooperationwiththeUnitHIPAACoordinators

ØMaintainongoingcommunicationswiththeIRBregardingresearchuseofPHIandLimitedDataSets

ØRespondtocomplaintsregardingUniversitypolicies,proceduresandpracticesrelatedtotheprivacyofhealthinformation

ØRespond,orrefer,totheappropriateUHCoveredComponent,requestsbyindividualsforaccessandamendment,anaccountingofdisclosures,orrequestedrestrictionstotheuseanddisclosureofPHI.

ØApproveandexecuteallBAAs,DataUseAgreements,andDataSharingAgreements.

Roles and responsibilities – UH System HIPAA Privacy and Security Officer

ØRelatingtotheHIPAASecurityRule:

ØMaintainongoingcommunicationwiththeUnitHIPAACoordinators;

ØGuideandassistwiththedevelopmentandimplementationofongoingsecurityawarenessandtrainingprogramsfortheemployees,students,andvolunteersofeachUHCoveredComponent

ØMonitortheuseofsecuritymeasurestoprotectPHI

ØAssistinrevisingthisHIPAAPolicyandanyUniversitypolicyorprocedurerelatedtotheprivacyandsecurityofPHI,asrequiredtocomplywithchangesinanyapplicablelaw,aswellasdocumentinganychangetoanypolicyorprocedurerelatedtotheprivacyandsecurityofPHI.

Roles and responsibilities – Unit HIPAA Coordinators

ØMaintainongoingcommunicationwiththeUHSystemHIPAAPrivacyandSecurityOfficer(s)

ØDevelopandmaintainproceduresconsistentwiththisHIPAAPolicyforprotectionofPHIandePHIintheUniversityUnit,whichisconsideredaUHCoveredComponent

ØMaintainandupdate,asneeded,proceduresconsistentwiththepolicyforprotectionofPHIandePHIintheUniversityUnit

ØInformemployees,volunteers,students,andasneeded,consultantsandothers,aboutthisHIPAAPolicyandallUniversitypoliciesandproceduresrelatingtoHIPAAthroughvariousmethodsincludingbutnotlimitedtostaffmeetings,inpersonmeetings,seminars,orientationmeetingsandphoneorwebbasedmeetings

ØMonitortheprocessofidentifyingandtrainingnewemployees,volunteersandstudentswithintheUniversityUnitwhorequireaccesstoPHI

ØMonitorcompliancewiththepoliciesandproceduresoftheUniversityUnitrelatingtoHIPAA

Roles and responsibilities – Unit HIPAA Coordinators

ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallviolationsthatresultinanimpermissibleuseordisclosureofPHIand/orePHI;

ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallprivacyviolationsunderHIPAA;

ØReportdirectlytotheUHSystemHIPAAPrivacyandSecurityOfficer(s),anyandallsecurityviolationsunderHIPAA;

ØEnsurecontinuedcompliancewithHIPAA,thisHIPAAPolicy,andallUniversitypoliciesandproceduresrelatingtoHIPAA;and

ØReviewallBAAs,DataUseandDataSharingAgreementspriortoexecutionbytheProjectPrincipalInvestigatororProgramLead.

Policies and proceduresØGeneralRequirementsandPractices:➢ SharingPHI➢ RiskAssessment➢ DesignateaCoordinator➢ HIPAATraining➢ BAAManagement(Internal&External)

Policies and procedures – HIPAA Privacy

ØRelatingtotheHIPAAPrivacyRule:Ø DisclosureonlywithconsentØ DisclosurerequiredtoindividualandDHHSØ DisclosuretoUHCoveredComponentØ DisclosuretoBusinessAssociateØ DisclosurepursuanttovalidauthorizationØ DisclosureformarketingpurposesØ DisclosureofpsychotherapynotesØ DisclosurerelatingtominorsØ DisclosurerequiringadvancenoticeandopportunitytoagreeorobjectØ DisclosurewhenauthorizationoropportunitytoagreeorobjectnotrequiredØ DisclosuretodetermineidentityorcauseofdeathØ Disclosureforresearchpurposes

Policies and procedures – HIPAA Privacy (continued)

Ø Disclosuretoprevent/lessenimminentthreatofharmØ DisclosureforworkerscompensationpurposesØ Disclosureofde-identifieddataØ DisclosureofLimitedDataSetØ DisclosureconsentrequirespriornoticeofprivacypracticesØ DisclosurebyUnitwhichisafederallyassisteddrugabuseprogramorafederallyassisted

alcoholabuseprogramØ RightstorequestprivacyprotectionforPHIØ AccessofindividualstoPHIØ AmendmentofPHIØ AccountingofdisclosuresofPHIØ AdministrativerequirementsØ OrganizationalOptions(CoveredEntitiesmustdesignateinwritingitsoperationsthat

performcoveredfunctionsasoneormore“healthcarecomponents).

Policies and procedures – HIPAA Security

ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø SecurityManagementProcess § 164.308(a)(1)

Ø RiskAnalysis(R)Ø RiskManagement(R)Ø SanctionPolicy(R)Ø InformationSystemActivityReview(R)

Ø AssignedSecurityResponsibility § 164.308(a)(2)Ø WorkforceSecurity § 164.308(a)(3)

Ø Authorizationand/orSupervision(A)Ø WorkforceClearanceProcedure(A)Ø TerminationProcedures(A)

Ø InformationAccessManagement § 164.308(a)(4)Ø IsolatingHealthCareClearinghouseFunctions(R)Ø AccessAuthorization(A)Ø AccessEstablishmentandModification(A)

Policies and procedures – HIPAA Security

ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø SecurityAwarenessandTraining § 164.308(a)(5)

Ø SecurityReminders(A)Ø ProtectionfromMaliciousSoftware(A)Ø Log-inMonitoring(A)Ø PasswordManagement(A)

Ø SecurityIncidentProcedures § 164.308(a)(6)Ø ResponseandReporting(R)

Ø ContingencyPlan § 164.308(a)(7)Ø DataBackupPlan(R)Ø DisasterRecoveryPlan(R)Ø EmergencyModeOperationPlan(R)Ø TestingandRevisionProcedures(A)Ø ApplicationsandDataCriticalityAnalysis(A)

Policies and procedures – HIPAA Security

ØRelatingtotheHIPAASecurityRule (Administrativesafeguards)Ø Evaluation § 164.308(a)(8)Ø BusinessAssociateContractsand § 164.308(b)(1)

Ø WrittenContractorOtherArrangement(R)Ø OtherArrangements

Policies and procedures – HIPAA Security

ØRelatingtotheHIPAASecurityRule (Physicalsafeguards)Ø FacilityAccessControls § 164.310(a)(1)

Ø ContingencyOperations(A)Ø FacilitySecurityPlan(A)Ø AccessControlandValidationProcedures(A)Ø MaintenanceRecords(A)

Ø WorkstationUse § 164.310(b)Ø WorkstationSecurity § 164.310(c)Ø DeviceandMediaControls § 164.310(d)(1)

Ø Disposal(R)Ø MediaRe-use(R)Ø Accountability(A)Ø DataBackupandStorage(A)

Policies and procedures – HIPAA Security

ØRelatingtotheHIPAASecurityRule (Technicalsafeguards)Ø AccessControl § 164.312(a)(1)

Ø UniqueUserIdentification(R)Ø EmergencyAccessProcedure(R)Ø AutomaticLogoff(A)Ø EncryptionandDecryption(A)

Ø AuditControl § 164.312(b)Ø Integrity § 164.312(c)(1)

Ø MechanismtoAuthenticateElectronicProtectedHealthInformation(A)Ø PersonorEntityAuthentication § 164.312(d)Ø TransmissionSecurity § 164.312(e)(1)

Ø Encryption(A)Ø IntegrityControls(A)

Policies and procedures – HIPAA Security

ØRelatingtotheHIPAASecurityRule (BreachofUnsecuredPHI)Ø NotificationintheCaseofBreachofUnsecuredPHIØ NotificationtoIndividualsØ NotificationtoothersØ NotificationtotheDHHSSecretaryØ NotificationbyaBusinessAssociateØ NotificationtoandcoordinationwithUHSystemHIPAAPrivacyandSecurityOfficer(s)

J.T.AshUHSystemHIPAAComplianceOfficerjtash@hawaii.edu •(808)956-7241