(A) Policy statement
The university of Toledo ("UT") and the university of Toledo physicians, "LLC", ("UTP") have a long-standing commitment to protect the confidentiality, integrity and availability of identifiable patient health information by taking reasonable and appropriate steps to address the requirements of "HIPAA." "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-91, enacted August 21, 1996, codified at 42 U.S.C. 1320d, the administrative simplification regulations found at parts 160 through 164 of Title 45 of the Code of Federal Regulations, as may be amended.
(B) The purpose of this policy:
(1) Designate "UT" as a hybrid entity;
(2) Designate "UT" and "UTP" as an affiliated covered entity ("ACE");
(3) Define the organizational structure and administrative responsibilities as required by "HIPAA"; and
(4) Designate a privacy officer and information security officer and identify their administrative responsibilities.
This policy applies to "UTP" and all "UT" covered components and their respective workforce members. Covered components are designated from time to time by the privacy and security committee. Covered components are identified in the addendum to this policy and include the health science campus, the university of Toledo medical center, the student health center, and designated departments of the main campus that perform "HIPAA" covered functions. A reference in this policy to the covered entity refers to "UTP" and the designated components of "UT."
(D) Designation as a hybrid entity:
(1) "UT" designates itself as a hybrid entity; a single entity that is a covered entity whose business activities include both "HIPAA" covered and non-covered functions, and that designates health care components.
(2) The privacy and security committee determines and maintains the list of covered components. The health care components for purposes of "HIPAA" compliance include "UTP," the entire health science campus and designated departments or units on the main campus.
(3) The "HIPAA" requirements apply only to the health care components of "UT" and "UTP" referred to as "covered entity" going forward in this policy.
Although "UT" is a single legal entity, the covered entity must treat units not designated as part of the covered entity as an external entity with respect to uses and disclosures of protected health information.
If a person performs duties for both the covered entity and for another unit of the university such workforce member must not use or disclose protected health information created or received in the course of or incident to the member's work for the covered entity.
(E) Designation as a single affiliated covered entity ("ACE")
(1) "UT" and "UTP" are affiliated, legally separate entities under common ownership that have joined together as an affiliated covered entity ("ACE") for purposes of complying with "HIPAA," to be known as "UT ACE."
(2) The "UT ACE" will name a single "HIPAA" privacy officer and information security officer, adopt common "HIPAA" policies and procedures, and issue a single notice of privacy practices. The "UT ACE" may use a signal consent form to obtain consent for uses and disclosures for treatment, payment, or health care operations.
(3) The "UT ACE" will comply with all "UT" policies that address "HIPAA" privacy and security regulations.
(4) "PHI" may be used and disclosed among the "UT ACE" for all functions of the covered entities, consistent with all "UT HIPAA" privacy and security policies located on "UT" website: www.utoledo.edu/policies.
(F) Administrative responsibility:
(1) A privacy and security committee will consist of the following representatives and operate under a plan developed by the committee:
(a) Privacy officer
(b) Information security officer
(c) Legal counsel
(d) "UTP" designee
(e) Compliance officer, "UTP"
(f) Chief medical information officer
(g) Chief operating and clinical officer
(h) Director of information management
(i) "UTMC" clinic representative
(j) Director of internal audit and chief compliance officer
(k) Director of nursing
(l) Clinical trial division chief
(2) The privacy officer
(a) Co-chairs the privacy and security committee
(b) Develops and implements "HIPAA" compliance program
(c) Collaborates with the information security officer to ensure compliance with "HIPAA" privacy and security regulations. Develops and revises "HIPAA" privacy policies and procedures.
(d) Provides a process for individuals to make complaints concerning violations of "HIPAA" privacy and security policies and regulations. Provides a method for documenting complaints and the investigation in such a manner that protects the confidentiality of the reporting individual.
(e) Investigates all reports of a breach and works with legal counsel to perform breach analysis, document the investigation response, notification, and remediation follow through.
(f) Understands the "HIPAA" privacy rule and how it applies within each covered component.
(g) Oversees the enforcement of patient privacy rights within each covered component.
(h) Monitors the covered components for compliance with privacy policies and procedures.
(i) Develops and implements "HIPAA" privacy training for employees within each covered component.
(j) Develop and implement any other procedures with respect to protected health information that is necessary for "UT ACE" compliance with the standards, implementation specifications or other requirements of "HIPAA."
(3) Information security officer
(a) Co-chair of the privacy and security committee
(b) Ensures that all health care components secure all health information subject to these security regulations, housed or transmitted electronically, hold reasonable protections depending on the needs and current technology in place. These reasonable protections will include:
Develops procedures including certification, incident response and reporting, contingency planning, documented policies and procedures and training;
(c) Provide physical safeguards, including physical access controls, workstation usage and placement, device and media disposal, reuse, and accountability;
(d) Provide technical security services, including access, audit and authorization controls; and
(e) Provide technical security mechanisms, including communications/network transmission controls.
(f) Understands the "HIPAA" security rule and how it applies within each covered component.
(g) Develops appropriate policies and procedures to comply with the "HIPAA" security rule,
(h) Analyzes and manages reasonably anticipated threats to the security of integrity of "ePHI" within each covered entity.
(i) Ensures availability of "ePHI" through proper storage, backup, disaster recovery plans, contingency operations, testing, and other safeguards.
(j) Monitors workforce members in each covered entity for compliance with security policies and procedures including auditing information system activity of workforce members and access reports.
(k) Implements "ePHI" access controls and termination of access.
(l) Identifies, evaluates threats to the confidentiality and integrity of "ePHI".
(m) Protects against uses or disclosures of "ePHI" that are not permitted under the privacy standards.
(n) Responds to security incidents and actual or suspected breaches in the confidentiality or integrity of "ePHI" and maintaining security incident tracking reports.
(G) Standards for electronic transactions: "UT-ACE" must electronically bill using the standardized formats, codes, and data elements and comply with the rules governing such transactions.
(H) Workforce members
Workforce members of "UT ACE," including employees of the designated health care components who have access or may be exposed to "PHI "will complete "HIPAA" training conducted by the privacy and security officer or their designee(s). Business associates who need to access electronic protected health information will follow all business associate agreement terms and conditions.
All "UT ACE" workforce members must complete "HIPAA" Privacy and security training upon hiring or prior to exposure to "PHI."
(I) Violation of policy or procedures:
The failure of a workforce member to comply with this policy or any "UT" policy or procedure that relates to "HIPAA" or "IT" security will be grounds for discipline under the applicable disciplinary policies or collective bargaining agreement. These disciplinary proceedings shall not apply to workforce member "whistleblower" activities, crime victims or complaints, investigations or opposition as set forth in the applicable regulations. The "UT ACE" must document any sanctions applied under the disciplinary policies or collective bargaining agreements.
Monitoring/auditing of compliance with "UT" policies relating to "HIPAA" privacy and security will be performed to assure compliance with "HIPAA" privacy and security regulations.
Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the "UT ACE" or its healthcare components is under the direct control of the "UT ACE" or its healthcare components regardless of whether or not they are paid by the "UT ACE" or its healthcare components.
Promulgated Under: 111.15
Statutory Authority: 3364
Rule Amplifies: 3364