03.001: General Policy on Health Insurance Portability and Accountability Act (HIPAA) Compliance
Approved
October 26, 2017
John J. Biancamano, General Counsel
Deborah Shaffer, Vice President for Finance & Administration
M. Duane Nellis, President
-
Ohio university's commitment to HIPAA compliance as a hybrid entity
Ohio university strives to protect the confidentiality, integrity, and availability of protected health information (PHI) by taking reasonable and appropriate steps to address the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA regulates covered entities, which are health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with a covered transaction. HIPAA requires that each covered entity maintains reasonable and appropriate administrative, technical and physical safeguards for privacy and security. HIPAA also requires that entities or individuals who contract to perform services for a covered entity with access to PHI (referred to as 鈥渂usiness associates鈥) comply with the HIPAA privacy and security standards.
Ohio university is a HIPAA hybrid entity as that term is defined by HIPAA at 45 C.F.R. 搂 164.105. As such, its health care components, which are identified in Ohio university鈥檚 standards and procedures, are subject to and must comply with HIPAA.
This general policy reflects Ohio university鈥檚 commitment to comply with HIPAA as more fully set forth in the Ohio university HIPAA standards (the 鈥渟tandards鈥), herein incorporated by reference to this general policy. The standards represent the general operating procedures of Ohio university鈥檚 health care components and apply to PHI used or disclosed by or on behalf of Ohio university鈥檚 health care components. To the extent the standards express requirements and obligations above and beyond those required by the HIPAA regulations, the standards will be treated as goals but will not be binding on Ohio university. The standards do not address the requirements of any laws other than the HIPAA privacy regulations. No third party rights (including, but not limited to, rights of individuals or business associates) are intended to be created by the standards
Any questions regarding this general policy or the standards may be directed toward Ohio university鈥檚 privacy and/or security officer, as may be appropriate. Ohio university reserves the right to change these standards at any time without notice.
Reviewers
Proposed revisions of this policy should be reviewed by:
-
Vice President for Research and Creative Activity
-
Faculty Senate
-
Deans Council
-
Chairs
-
Directors
-
Chief Human Resource Officer