Rule 3361:10-5-20 | Organization: HIPPA administration and compliance.

(A) The university is committed to compliance with all requirements of the health insurance portability and Accountability Act of 1996 and its implementing regulations (hereinafter "HIPAA"), as they may be amended from time to time.

Because the university only uses and engages in electronic transactions involving HIPAA protected health information for a part of its operations, the university has designated itself as a hybrid entity for purposes of HIPAA compliance. The university's health care components, and components that perform activities that would make the component a business associate of the university if it were legally separate, are therefore subject to the specific requirements of HIPAA. The components subject to the requirements of HIPAA shall be designated in the university's HIPAA privacy policy as it may be amended from time to time. Other components may be designated as part of the hybrid as may be required to comply with changes in the law, or as necessary for the orderly operation of the university as determined in writing by the vice president for legal affairs and general counsel.

In the event an additional university component is designated as part of the university's hybrid entity, the vice president for legal affairs and general counsel shall report such designation to the board for information at its next regular meeting.

(B) Overall administration of the university's HIPAA compliance program shall be the responsibility of the university HIPAA privacy official, who shall be appointed by and shall report to the vice president for legal affairs and general counsel. The responsibilities of the university privacy official shall include:

(1) Developing, implementing and maintaining the HIPAA compliance program;

(2) Coordinating the implementation of appropriate policies and procedures;

(3) Developing and overseeing the training of employees in the healthcare components of the hybrid entity and other employees as appropriate;

(4) Serving as the contact person for any HIPAA related complaints and administering appropriate complaint procedures and processes;

(5) Overseeing HIPAA breach notification;

(6) Coordinating the implementation and enforcement of sanctions against employees who violate HIPAA policies;

(7) Conducting HIPAA audits;

(8) Overseeing institutional HIPAA compliance, and;

(9) Developing, implementing and monitoring all other obligations of the university under HIPAA.

(C) Although only the healthcare components of the university's hybrid entity are part of a covered entity for purposes of HIPAA compliance, all employees of the university are required to protect and safeguard the confidentiality of individually identifiable health information relating to the physical or mental health or condition of an individual, the provision of health care to an individual or the payment for health care for an individual. This requirement is a statement of university policy and is not intended to subject components of the university that are not part of the university's hybrid designation to the specific requirements of HIPAA.