HEALTH INFORMATION PRIVACY AND SECURITY POLICY

 

IOWA STATE UNIVERSITY

 

1.         Purpose.

Iowa State University (ISU) is committed to protecting the privacy and security of personal health information concerning our employees and students.  This policy is designed to assure ISU’s compliance with all applicable federal and state laws and regulations that require an individual’s personal health information to be kept confidential and private.  It is the result of a comprehensive review performed by the HIPAA Compliance Task Force. 

 

2.                  Applicable Laws and Regulations.

Personal health information is required to be kept confidential and private under a number of federal and state laws and regulations.  For example, Iowa Code Chapter 22.7(2) addresses the confidentiality of public hospital, medical and professional counselor records; Iowa Code Chapter 228 addresses the disclosure of mental health and psychological information; the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232(g) and 34 CFR Part 99, addresses the confidentiality of student educational records; and the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. 1320(d) and 45 CFR Parts 160 and 164, addresses the confidentiality of patient health information and records.

 

Although the development of this policy has been motivated by HIPAA and its accompanying regulations, Iowa State University health care providers have always had policies and procedures that addressed the confidentiality of personal health information.  Since there are numerous state and federal laws and regulations that apply to the confidentiality and privacy of personal health information, this policy intends to bring together in one comprehensive policy the commitment ISU has for compliance with those federal and state laws and regulations.  This is true whether the personal health information is protected by HIPAA, FERPA, other state or federal laws and regulations, or a combination of federal and state laws and regulations.

 

It is the policy of ISU to comply with all federal and state laws and regulations that require personal health information of our employees and/or students to be kept confidential and private.  

 

 

3.                  Hybrid Entity.

Since the primary mission of ISU is education, and only part of our activities include covered functions under the final HIPAA Privacy Rule, ISU has determined that it is a hybrid entity for purposes of HIPAA.  The ISU hybrid entity will have two parts.  First is the Health Care Provider component that contains the departments that provide health-related services.  The second is the Health Plan component that includes certain health plans within the ISU Benefits Office that are self-insured, are determined to be covered by the HIPAA regulations, and must therefore comply with HIPAA. 

The ISU Health Care Provider component includes the following departments:

·        Thielen Student Health Center;

·        Thielen Student Health Center Pharmacy;

·        ISU Student Counseling Service;

·        Cyclone Sports Medicine/Physical Therapy; and

·        ISU Athletic Training Department.

The ISU Health Plan component includes:

·        The Self-insured ISU Plan including the Indemnity, PPO and HMO plans;

·        The Basic and Comprehensive Dental plans; and

·        The Medical Reimbursement Flexible Spending Account program.

There are also administrative support units within ISU that provide assistance to our designated Health Care Provider component and designated Health Plan component.  For purposes of HIPAA compliance, these departments are included within our hybrid entity for those administrative support services that they provide to the providers or health plans that are part of the ISU hybrid entity.  These administrative support units include:

·        Administrative Data Processing;

·        Accounts Receivable;

·        Internal Audit;

·        University Counsel; and

·        Risk Management.

In the process of developing this policy, all departments within ISU were reviewed by the HIPAA Task Force to determine whether or not they should be included within the ISU hybrid entity.  Although the following departments occasionally would come in contact with or maintain personal health information about an employee or student in departmental records, it was determined that these departments are not to be designated as part of the ISU hybrid entity:

·        Dean of Students;

·        Disability Resources;

·        Employee Assistance Program (EAP);

·        Facilities, Planning and Management;

·        Family and Marriage Therapy Clinic;

·        Health and Human Performance Department;

·        Human Resources;

·        Lied Fitness Center;

·        Occupational Medicine;

·        Department of Public Safety;

·        Purchasing;

·        Student Financial Aid;

·        Student Health Insurance;

·        Treasurer; and

·        Workers’ Compensation Program.

 

4.      Human Subjects Research Office.

Special attention to the Human Subjects Research Office was given by the HIPAA Task Force.  Although it does not provide covered functions under HIPAA, it has the important responsibility of educating researchers about the impact of HIPAA on human subjects research.

ISU does conduct some research that involves personal health information of the research subjects.  Research that involves human subjects is reviewed and approved by the Institutional Research Board (IRB) at ISU.  In the context of human subject research, personal health information of our employees and students is protected by the federal “common rule” under which the ISU IRB must operate.  The Human Subjects Research Office of the Office of Research Compliance and the IRB at ISU are not designated as part of our hybrid entity.  The Human Subjects Research Office will be responsible for educating researchers conducting human subjects research to comply with HIPAA regulations involving privacy and security of the personal health information of the human subjects that are the focus of their research.  This generally requires that an appropriate authorization be obtained from the subject of the research unless the IRB has determined that a waiver of the authorization requirement is appropriate.  The Human Subjects Research Office and the IRB will provide education to researchers about the appropriate elements of an authorization for use in human subject research and how to seek personal health information from health care providers by using an authorization signed by the research subject, or when the data sought is preparatory to their research or involves disclosure through a limited data set agreement for use in human subject research.  However, the ultimate determination of when disclosure will be made in these circumstances and the final review and approval of disclosure pursuant to an authorization will be made by the health care provider that possesses the personal health information of the research subject. 

 

5.                  Health Information Privacy Officer.

The Health Information Privacy Officer at ISU is responsible for development and implementation of policies, procedures and educational programs that will assure compliance with the various federal and state laws and regulations that require personal health information to be kept confidential and private.  This person will provide leadership to the overall management of ISU’s health information privacy compliance and will chair the ISU Health Information Privacy Compliance Committee.  The Health Information Privacy Officer shall have the responsibility and authority to:

·        Develop and implement the ISU Policy and Procedures concerning the privacy and security of personal health information of ISU employees and students as determined by the ISU Health Information Privacy Compliance Committee.

·        Provide oversight of privacy practices within the ISU designated health care provider components.

·        Receive and investigate complaints concerning the use and disclosure of personal health information by the ISU designated health care provider components.

·        Develop and implement an organization-wide training program in collaboration with the ISU designated health care provider components.

·        Review, update and improve, where necessary, the policies and practices of the ISU designated health care components as they relate to the privacy of personal health information of our employees and students.

The Health Information Privacy Officer for ISU is the Director of the Thielen Student Health Center.

The Health Information Privacy Officer will be assisted by a Health Information Privacy Compliance Committee, as described in Section 7.  In addition, the director of each ISU health care provider shall designate an employee to be the contact person for health information privacy within the department.  That person will act as the liaison for the department to the Health Information Privacy Officer.  The ISU Office of University Counsel will provide legal advice to the Health Information Privacy Officer.

 

6.                  Health Information Security Officer.

ISU has determined that the responsibility for the security of health information on campus should be placed with the Administrative Data Processing Department since most of the personal health information that must be kept secure will exist electronically.  The Health Information Security Officer is responsible for development and implementation of policies, procedures and educational programs that will assure that each designated health care provider and the ISU Benefits Office have in place appropriate administrative, technical and physical safeguards to protect the privacy of the personal health information of our employees and students.  In addition, the director of each ISU health care provider and the ISU Benefits Office shall designate an employee to be the contact person for health information security within the department.  That person will act as the liaison for the department to the Health Information Security Officer. 

The Health Information Security Officer will be a permanent member of the Health Information Privacy Compliance Committee.  The Health Information Security Officer for ISU is the person from Administrative Data Processing that is responsible for information technology involving medical records at the Thielen Student Health Center. 

 

7.                  Health Information Privacy Compliance Committee.

To assist in assuring that the personal health information of our employees and students is kept confidential and private, a permanent committee, the Health Information Privacy Compliance Committee, is formed.  The chair of this committee shall be the Health Information Privacy Officer.  Other members of the committee shall include:

·        The Health Information Security Officer.

·        A person from each ISU health care provider that has the responsibility within the designated health care component for privacy policy and procedures or security policy and procedures.  This person shall be designated by the director of the respective health care provider.

·        A person designated by the ISU Benefits Office.

·        A person designated by the Office of Research Compliance.

·        A person designated by the ISU Office of University Counsel.

The persons designated to be liaisons to the Health Information Security Officer will not be members of the Health Information Compliance Committee but could be invited to provide advice to the Committee on any security related issue.

The responsibility of this committee is to provide advice and support to the Health Information Privacy Officer and assist in developing, monitoring, implementing, and revising ISU’s policy and procedures requiring confidentiality and privacy of the personal health information of our employees and students.  The Committee is delegated the authority to develop the specific details of ISU policy and procedure to assure compliance with health information privacy laws and regulations.

 

8.                  Notice of Privacy Practices.

ISU shall have two specific Notices of Privacy Practices.  One will apply to the designated health care providers within our hybrid entity, and the other will apply to our health plans within the ISU Benefits Office.  A copy of the Notice of Privacy Practices for Iowa State University Health Care Providers is attached as “Exhibit A.”  A copy of the Notice of Privacy Practices for Iowa State University Benefits Office is attached as “Exhibit B.”  It is the responsibility of the Health Information Privacy Officer and the Health Information Privacy Compliance Committee to monitor and review the privacy practices and procedures described in the Notice of Privacy Practices, make revisions as necessary, and communicate any revised notice to our employees and students, as required by various federal and state laws and regulations.

 

9.         Effective Date.

This policy is effective April 14, 2003.