HIPAA Privacy, Security, and Breach Notification

1. Purpose of Policy

   1. Identify Western Michigan University (WMU or the University) as a Hybrid Entity;

   2. Acknowledge that the University performs certain activities that meet the definitions of a “Covered Entity” and “Business Associate”;

   3. Establish the University's commitment to maintaining a broad operational framework for the Privacy, Security, and Breach Notification Rules found in HIPAA; and

   4. Ensure all members of the University community understand their rights and obligations with regard to the privacy, security, and integrity of Protected Health Information (PHI).

2. Stakeholder Most Impacted by the Policy

   This Policy applies to all University Health Care Component Workforce members; all other persons whose conduct, in the performance of work for a Health Care Component, is under the direct control of such Health Care Component, regardless of whether they are paid by the Health Care Component; and to all other persons who perform services for or on behalf of a Health Care Component that functions as a Business Associate for a non-University entity.

3. Key Definitions

   1. Unless otherwise defined, all capitalized terms in this Policy have the same definitions found in HIPAA (45 CFR Parts 160, 162, and 164).

   2. Business Associate: a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a Covered Entity.

   3. Covered Entity: a health care provider that conducts certain transactions electronically, a health plan, or a health care clearing house

   4. HIPAA Compliance Coordinator:  designated individual who oversees and coordinates university-wide compliance efforts

   5. HIPAA Compliance Officer: designated individual within each Covered Component who is responsible for component-specific HIPAA compliance

   6. HIPAA Privacy Officer: designated individual who works with Covered Components’ HIPAA Compliance Officers to oversee ongoing activities related to the University's implementation of this Policy

   7. HIPAA Security Officer: Individual or team who is responsible for ensuring compliance with the Security and Breach Notification Rules established at 45 CFR Parts 162 164, Subparts C and D.

   8. Protected Health Information (PHI): individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

   9. University Healthcare Components (Covered Component or Component):  For purposes of this policy, the following WMU entities are covered components: Sindecuse Health Center; Unified Clinics; Kalamazoo Autism Center; Department of Athletics, Medical Services; Department of Human Resources; Institutional Research; Office of Information Technology members assigned to work for health care components; Center for Disability Services.  See the WMU Hybrid Designation.

   10. Workforce Member: any University employee, partner, volunteer, trainee, and/or agent

4. Full Policy Details

   1. Organizational Guidelines

      1. WMU personnel will maintain the privacy and security of patients’ PHI. WMU will implement policies and procedures as necessary to comply with HIPAA and related laws, rules, or regulations.

      2. The HIPAA Privacy Officer is the University's chief point of contact with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for all HIPAA complaints, investigations, and related matters.

      3. The HIPAA Security Officer will work with Component Compliance Officers to develop, implement, and maintain policies and procedures necessary for Components to comply with the HIPAA Security Rule, including those necessary to establish and maintain administrative, physical, and technical security safeguards and to prevent, detect, contain, and correct security violations.

      4. The HIPAA Compliance Coordinator will coordinate with each designated Component to assist with the development of a HIPAA compliance program as necessary.

   2. Designation of Health Care Components: WMU is a hybrid entity with several health care Components and a self-insured health insurance plan Component.  Any University Component that meets the HIPAA definition of a Covered Entity or Business Associate if it were a separate legal entity shall be designated as a Covered Component.  The Privacy Officer will periodically evaluate Covered Components, with input from appropriate stakeholders, to ensure that designations remain proper and any additional designations are made in a timely manner.  The University’s Hybrid Entity Designation statement identifies WMU’s Covered Components.

   3. Other WMU units that provide health care services, while not subject to HIPAA privacy and security requirements, must comply with the University’s privacy and confidentiality policies. In the event any other University unit receives notification of a potential HIPAA violation or violation of this policy, the unit shall promptly notify the Privacy Officer.

   4. Investigation

      1. If a Component identifies or is informed of a potential breach, the Component’s Compliance Officer will conduct an initial fact-finding investigation.

      2. The Compliance Officer will then inform the Privacy Officer of the results and assist the Privacy Officer in evaluating and recommending appropriate corrective actions as necessary, including but not limited to notification under HIPAA or state or federal law. The Privacy Officer may involve other University units as appropriate to conduct a full investigation, including, but not limited to legal counsel, employees, agents, contractors, or consultants.

      3. All Workforce members will cooperate in such investigations and promptly respond to inquiries from Compliance or Privacy officers or to any other such requests from units assisting with or coordinating the investigation.

   5. Determining Whether A Breach of Protected Health Information Has Occurred

      1. For purposes of this Policy, a breach is presumed if there is unauthorized access, acquisition, use, or disclosure of unsecured PHI.  The presumption is rebutted if WMU can demonstrate that (1) there is a low probability that the information was compromised based on a risk assessment of certain factors set forth in the University’s HIPAA procedures, or (2) the situation fits within one of the following circumstances or exceptions to the breach notification rule:

         1. The acquisition, access or use of PHI by a Workforce member or a person acting under WMU’s authority was unintentional and such acquisition, access, or use was made in good faith, within their scope of authority, and does not result in further use or disclosure in violation of the HIPAA privacy rules;

         2. A person who is authorized to access PHI at WMU inadvertently discloses the PHI to another person authorized to access patient information at WMU, and the disclosed PHI is not further used or disclosed in violation of the HIPAA privacy rules;

         3. WMU has a good faith belief that the person to whom the disclosure was made would not reasonably have been able to retain the information; or

         4. The use or disclosure involves PHI that has been “secured” according to standards published by HHS, meaning the data is unusable, unreadable, or indecipherable to unauthorized individuals. Whether the information is properly secured will depend on the nature of the information and how well it is protected.

      2. If the HIPAA Privacy Officer determines the information did not meet one of the circumstances or exceptions listed in Sections 4.5.1.1 through 4.5.1.4, the HIPAA Privacy Officer must conduct a risk assessment.  There is a presumption that an impermissible use or disclosure is a breach unless it can be determined through a risk assessment that there is a low probability that the PHI has been compromised.  If the HIPAA Privacy Officer concludes there is a low probability the PHI has been compromised, then notification is not required.

      3. WMU has designated a Breach Notification Team to assist the Privacy Officer in evaluating the University’s breach notification requirements.  The team consists of:

         1. Director of the Covered Component where the violation may have occurred;

         2. HIPAA Security Officer and member(s) of the Information Technology Security Team;

         3. Representative from the Office of the Vice President for Business and Finance;

         4. Representative from the Office of the General Counsel;

         5. HIPAA Privacy Officer; and

         6. Representative from the vice-presidential area (or equivalent) where the potential violation occurred (if not already represented).

      4. If the Breach Notification Team determines that WMU must provide notification of an incident, the Privacy Officer will prepare and send appropriate notification as set forth in the Breach Reporting Procedures.

      5. In determining whether notification is required, the Privacy Officer may consult with legal counsel, employees, agents, contractors, consultants as reasonably necessary to determine WMU’s notification obligations.

   6. Business Associates

      1. WMU must have current, signed Business Associate Agreements (BAAs) with all entities that use or disclose PHI on behalf of WMU or that provide services to a Covered Component.

      2. Only the Privacy Officer has authority to sign BAAs on behalf of WMU’s Covered Components.

      3. WMU shall seek to require any Business Associate to notify WMU of a potential breach within five business days of discovery and provide information about the individuals involved in the potential breach within thirty days of discovery.

      4. In certain circumstances, Business Associate’s knowledge of a breach may be imputed on WMU.  Therefore, the deadline for providing notice will be based upon when the Business Associate knew or should have known about the breach.

   7. Reporting Violations: If any University Workforce member becomes aware of an actual or alleged violation of HIPAA requirements or this Policy, the individual shall report the actual or alleged violation as set forth in the Breach Notification Procedures.  Any member of the public may notify the Privacy Officer of an actual or alleged violation of HIPAA requirements or of this Policy.

      1. The HIPAA Privacy Officer will make the final determination regarding whether a reported violation constitutes a Breach.

      2. As required by applicable law, the University will mitigate any violation of this Policy or applicable HIPAA requirements.

   8. Communication

      The director of each Covered Component will share the details of this Policy with its Workforce members.  Additionally, notice will be posted in WMU Today.

   9. Exceptions

      1. There are no exceptions to this Policy for Covered Health Care Components or Workforce members.

      2. Student health information obtained or created as part of the student’s academic career is generally covered under the privacy provisions of the Family Educational Rights and Privacy Act (FERPA) and is kept separate from their medical records. This Policy in no way affects the applicability of FERPA regulations to student records, including student health records originally created as a result of health care services provided by the Sindecuse Health Center or other campus clinics, programs, or centers, but that have been subsequently associated with the student’s academic or conduct files.

5. Accountability

   1. Failure to follow this Policy and any associated procedures, to include cooperating with any investigation or notice requirements, may subject WMU employees to disciplinary action, up to and including dismissal from employment by the University, consistent with applicable Bargaining Unit contracts and procedures.

   2. Students in violation of this Policy may be subject to disciplinary action under the applicable student policies and procedures.

   3. Individuals who are in violation of HIPAA regulations may be subject to civil and criminal penalties as provided by law.

6. Related Procedures and Guidelines

   WMU Hybrid Designation

   University HIPAA Breach Notification Procedures   Sindecuse HIPAA Breach Notification Procedures (not yet posted)   Unified Clinics HIPAA Breach Notification Procedures (not yet posted)   Center for Disability Services HIPAA Breach Notification Procedures (not yet posted)   Kalamazoo Autism Center HIPAA Breach Notification Procedures (not yet posted)   Department of Athletics Medical Department HIPAA Breach Notification Procedures (not yet posted)   Department of Human Resources HIPAA Breach Notification Procedures (not yet posted)

7. Additional Information

   1. The Privacy Officer and Covered Components shall retain copies of all related documentation, including but not limited to reports or complaints of privacy violations; results of investigations, including facts and conclusions relating to the risk assessment; required notices; logs of privacy breaches; sanctions imposed; and press releases related to breach notifications, for six years from the date on which the alleged breach was discovered by or reported to WMU.

   2. After any breach, regardless of whether the breach is reportable, the University Privacy Officer, in collaboration with University Compliance and Security Officers, will evaluate the sufficiency of existing policies and procedures in an effort to prevent future similar breaches.

   3. Retaliation against an individual who reports potential violations of this policy and/or HIPAA is prohibited. Individuals who believe that they have been retaliated against may contact IE and/or file a complaint with any of the below entities:  Office for Civil Rights (Regional Office) U.S. Department of Education 1350 Euclid Avenue, Suite 325 Cleveland, OH 44115-1812 Telephone: (216) 522-4970 FAX: (216) 522-2573; TDD: (800) 877-8339 Email: OCR.Cleveland@ed.gov   Equal Employment Opportunity Commission – Detroit Office Patrick V. McNamara Building 477 Michigan Avenue, Room 865 Detroit, MI 48226  Phone: 1-800-669-4000  Fax: 313-226-4610  TTY: 1-800-669-6820  

   4. The University Privacy Officer will post information to enable reporting of actual or alleged violations. The Privacy Officer will work with units to develop procedures to ensure the prompt and timely response to reports of violations.

   5. The Privacy Officer may be contacted at 269.387.1900 or hipaa-officer@wmich.edu.  To contact the Compliance Official at a Covered Component, navigate to that Covered Component’s directory webpage.

   6. All University colleges, centers, departments, programs, or individuals must notify the Privacy Officer if they intend to engage in HIPAA Standard Transactions, send, receive, and/or maintain PHI in connection with the provision of health care services or engage as a Business Associate to a Covered Entity if they have not previously been engaged in such activity.  Notification must be as soon as possible prior to proposed initiation of such transactions or activity, but no later than ninety days prior to the planned implementation date to enable the University HIPAA Privacy Officer to conduct an analysis and recommend appropriate HIPAA compliance measures.

8. FAQs

   1. What are some examples of HIPAA breaches?

      1. Unauthorized access to WMU’s electronic information system;

      2. Authorized access to PHI for an improper purpose;

      3. Information intended for an authorized individual was misdirected (for example, by e-mail or fax transmission);

      4. A business associate has suffered a potential data breach;

      5. Individuals whose PHI WMU maintains have been the victims of identity theft or other identity fraud crime; or

      6. A client file that may contain sensitive information cannot be located.

   2. Do incidental disclosures violate the HIPAA privacy rule?

      No. Disclosures that are incidental to an otherwise permissible use or disclosure (e.g., a individual overhears a physician speaking with another individual, or sees information about another individual on a whiteboard or sign-in sheet) do not violate the privacy rule so long as the covered component has implemented reasonable safeguards to avoid improper disclosures;

   3. I work in an Academic unit that does not provide any clinical services.  If personally identifiable information in an employee or student file that I have access to is improperly disclosed, is this covered by HIPAA?

      No.  HIPAA only applies to those entities WMU has designated as Covered Components.  However, you must still comply with the University’s privacy and confidentiality policies and procedures, so you should still report the disclosure and the University should evaluate whether there are mitigating actions it can take.

History

Authorization