Health Insurance Portability and Accountability Act (HIPAA)

I. HIPAA Privacy Policy

Maryville University of Saint Louis (the University) sponsors a group health plan (the Plan). Members of the University’s workforce may have access to the individually identifiable health information of Plan participants (1) on behalf of the Plan itself; or (2) on behalf of the University, for administrative functions of the Plan.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict the University’s ability to use and disclose Protected Health Information (PHI). “Protected health information” consists of all individually identifiable information. This information includes demographics; i.e., name, address, e-mail address, and relates to past, present or future physical or mental health or condition and related health care services and relates information of persons living or deceased.

It is the University’s policy to comply fully with HIPAA’s requirements. All members of the University’s workforce who have access to PHI must comply with this Privacy Policy.

No third party rights (including but not limited to rights of Plan participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Policy. The University reserves the right to amend or change this Policy at any time without notice. Changes may be made retroactively. Any requirements and obligations established by the University, but not required by law, are not binding upon the University.

II. Procedure

Plan’s Responsibilities as Covered Entity

HIPAA Compliance Officer and Contact Person
The HIPAA Compliance Officer or designee will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy and the University’s use and disclosure procedures. The HIPAA Compliance Officer will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI.

Workforce Training
It is the University’s policy to train all members of its workforce who has access to Protected Health Information on its privacy policies and procedures.

Technical and Physical Safeguards and Firewall
The University will establish technical and physical safeguards to prevent PHI from intentionally and unintentionally being used or disclosed in violation of HIPAA’s requirements. Technical safeguards include limiting access to information by creating computer firewalls. Physical safeguards include locking doors or filing cabinets.

Firewalls will ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for plan administrative functions, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules.

Privacy Notice
The privacy notice will inform participants that the University has access to PHI in connection with its plan administrative functions. The privacy notice provides a description of the University’s complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The HIPAA Compliance Officer will be the Plan’s contact person for receiving complaints. A copy of the complaint procedure shall be provided to any participant upon request.

Sanctions for Violations of Privacy Policy
Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Policy will be imposed in accordance with the University’s discipline policies.

Mitigation of Inadvertent Disclosures of Protected Health Information
The University shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual’s PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of Protected Health Information, either by an employee of the plan or an outside consultant/contractor that is not in compliance with the Policy immediately contact the HIPAA Compliance Officer so that the appropriate steps to mitigate the harm to the participate can be taken.

No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practices under HIPAA.

No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.

The University’s privacy policies and procedures, actions, activities and designations shall be documented and maintained for at least six years in written or electronic form.

Policies on Use and Disclosure of PHI

Use and Disclosure Defined
The University and the Plan will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:

Use: The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Human Resources Office of the University, or by a Business Associate (defined below) of the Plan.

Disclosure: For information that is Protected Health Information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within the Human Resources Office of the University.

Workforce Must Comply with University’s Policy and Procedures
All members who have access to PHI must comply with this policy and with the University’s use and disclosure procedures. This includes employees, student workers and other persons who work is under the direct control of the University.

No Disclosure of PHI for Non-Health Plan Purposes
PHI may not be used or disclosed for the payment or operations of the University’s “non-health” benefits (e.g., disability, workers’ compensation, life insurance, etc.), unless the participant has provided an authorization for such use of disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.

Mandatory Disclosures of PHI: to Individual and DHHS
A participant’s PHI must be disclosed as required by HIPAA in two situations: (1) The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Information and Request for Amendment” that follows); and (2) The disclosure is made to DHHS for purposes of enforcing of HIPAA.

Disclosures of PHI Pursuant to an Authorization
PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

Complying with the “Minimum Necessary” Standard
HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure.

The “minimum necessary” standard does not apply to any of the following:

  • uses or disclosures made to the individual;
  • uses or disclosures made pursuant to a valid authorization;
  • disclosures made to the DOL;
  • uses or disclosures required by law; and
  • uses or disclosures required to comply with HIPAA.

Disclosures of PHI to Business Associates
Employees may disclose PHI to the Plan’s business associates and allow the Plan’s Business Associates to create or receive PHI on its behalf. However, prior to doing so, the Plan must first obtain assurances from the Business Associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a “Business Associate,” employees must contact the HIPAA Compliance Officer and verify that a Business Associate Agreement is in place.

Business Associate is an entity that:

  • performs or assists in performing a Plan function or activity involving the use and disclosure of Protected Health Information (including claims processing or administration, data analysis, underwriting, etc.); or
  • provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.

Disclosures of De-Identified Information
The Plan may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is not reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers.

The 18 specific identifiers are:

  • Name
  • Address
  • All elements of dates, except year
  • Telephone numbers
  • E-mail addresses
  • Fax numbers
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate
  • Device identifiers and serial numbers
  • Web Universal Resource Locators
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, or characteristic, or code

Policies on Individual Rights

Access to Protected Health Information and Requests for Amendment
HIPAA gives participants the right to access and obtain copies of their PHI that the Plan (or its business associates) maintains in designated record sets. HIPAA also provides that participants may request to have their PHI amended. The Plan will provide access to PHI and it will consider requests for amendment that are submitted in writing by participants.

Designated Record Set is a group of records maintained by or for the University that includes:

  • the enrollment, payment and claims adjudication record of an individual maintained by or for the Plan; or
  • other PHI used, in whole or in part, by or for the Plan to make coverage decisions about an individual.

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last six years, other than disclosures:

  • to carry out payment or health care operations;
  • to individuals about their own PHI;
  • incident to an otherwise permitted use or disclosure;
  • pursuant to an authorization;
  • for purpose of creation of a facility directory or to persons involved in the patient’s care or other notification purposes;
  • as part of a limited data set; or
  • for other national security or law enforcement purposes.

The plan shall respond to an accounting request within 60 days. If the Plan is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.

The accounting must include the date of the disclosure, the terms of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any.)

The University may impose reasonable production and mailing costs for subsequent accountings. Requests for Restrictions on Uses and Disclosures of Protected Health Information

A participant may request restrictions on the use and disclosure of the participant’s PHI. It is the University’s policy to attempt to honor such request if, at the sole discretion of the University, the requests are reasonable. The Human Resources Office is charged with responsibility for administering requests for restrictions