General Administrative Requirements
About This Policy
- Effective Date:
- Date of Last Review/Update:
- Responsible University Office:
- HIPAA Privacy and Security Compliance Office
- Responsible University Administrator:
- Vice President for University Clinical Affairs
- Policy Contact:
- University HIPAA Privacy Officer
University HIPAA Security Officer
- Policy Feedback:
- If you have comments or questions about this policy, let us know with the policy feedback form.
- Print or view a PDF of this policy
- Many policies are quite lengthy. Please check the page count before deciding whether to print.
This policy applies to all personnel, regardless of affiliation, who create, access or store Protected Health Information (“PHI”) under the auspices of Indiana University, designated for purposes of complying with the final provisions of the security and privacy rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Please refer to the IU HIPAA Affected Areas (IU HAAs) document for a full list of units impacted within Indiana University.
Reason for Policy
Indiana University respects the privacy of all members of the IU community, and strives to implement measures to protect privacy consistent with the university mission and environment, applicable legal requirements and professional standards, generally accepted privacy norms, and available resources.
The provisions of this policy include the implementation of the following required components and documented policies and procedures:
Indiana University has designated itself as a Hybrid Entity as defined in the HIPAA Privacy Rule and described in IU Policy HIPAA-A01.
Notice of Privacy Practices
IU HAAs that are part of the IU health plans or are health care providers shall maintain a Notice of Privacy Practices that explains how they use and disclose (PHI), as well as an individual’s rights and the IU HAA’s legal duties under HIPAA.
The notice shall be written in plain language and shall include the terms required by HIPAA.
The IU HAA may not use or disclose PHI in violation of the Notice.
Except in an emergency situation, IU HAAs who are direct treatment providers shall do the following:
- Make a good faith effort to obtain a patient’s written acknowledgment of the Notice by the first date of service.
- If the IU HAA is unable to obtain an acknowledgment, the IU HAA shall document the good faith efforts taken and the reason the acknowledgment was not obtained, if known.
- In addition, the IU HAA shall post the Notice in a prominent location where it is reasonable for the public to see it, and shall make a copy of the Notice available upon request.
- The IU HIPAA Privacy and Security Office will create, review and update University level HIPAA policies.
- IU HAAs shall comply with the University level HIPAA policies.
- IU HIPAA policies will be reviewed at least every two (2) years or when there is a change in the regulations.
IU HAAs shall have administrative and physical safeguards to protect health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, other requirements of HIPAA or University HIPAA policies.
IU HAAs shall reasonably safeguard protected health information to limit incidental uses or disclosures.
IU HAAs shall limit the protected health information access, used or disclosed to the minimum necessary to accomplish their goal.
IU HAAs shall periodically complete a Risk Analysis as required under the HIPAA Security Rule.
IU HAAs shall use the risk analysis to determine a Risk Management plan.
IU HAAs shall ensure all workforce who may use mobile devices to access PHI understand their responsibilities
IU HAAs shall ensure all workforce members understand their obligations to comply with IT 12.1 as applicable.
IU HAAs shall implement written policies and procedures to ensure these safeguards are in place.
IU HAAs shall train each new member of the workforce within a reasonable period of time (based on their role) after the person joins the workforce, but no longer than 90 days from the initial employment date.
IU HAAs shall require all workforce members to complete HIPAA Privacy and Security Training on an annual basis.
IU HAAs shall also train each member of the workforce whose functions are affected by a material change in the policies or procedures, within a reasonable period of time after the material change becomes effective.
IU HAAs shall document training has been provided to each member of the workforce and report to the University HIPAA Privacy Officer annually.
To support this policy, the IU HAA shall develop and implement a training program for the workforce members or offer the option of an approved E Training module.
Authorized members of the IU HAA workforce may disclose protected health information (PHI) to a business associate (BA), if the IU HAA has obtained satisfactory assurance that the BA will appropriately safeguard the information.
IU HAA may also permit a BA to create or receive PHI on the IU HAA’s behalf.
The IU HAA shall document the satisfactory assurances through a fully executed agreement with the BA that meets the requirements of the HIPAA Privacy Rule. The required language may be incorporated into the service agreement or in a separate business associate agreement.
Limited Data Set
IU HAAs shall use data in the form of a limited data set when possible for the purposes of research, public health and health care operations.
IU HAAs will execute a Data Use Agreement or similar agreement when data are shared in the form of a limited data set, even when shared internally.
Data Use Agreements must be signed by the University HIPAA Privacy Officer as the authorized university official.
IU HAAs shall follow IU’s disciplinary policies including IU’s Corrective Action Policy.
IU HAAs shall follow HIPAA-G01 HIPAA Sanctions Guidance.