General Administrative Requirements

Policy Statement

This policy applies to all personnel, regardless of affiliation, who create, access or store Protected Health Information (“PHI”) under the auspices of Indiana University, designated for purposes of complying with the final provisions of the security and privacy rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Please refer to the IU HIPAA Affected Areas (IU HAAs) document for a full list of units impacted within Indiana University.

Back to top

Reason for Policy

Indiana University respects the privacy of all members of the IU community, and strives to implement measures to protect privacy consistent with the university mission and environment, applicable legal requirements and professional standards, generally accepted privacy norms, and available resources.

The provisions of this policy include the implementation of the following required components and documented policies and procedures:

Hybrid Status

Indiana University has designated itself as a Hybrid Entity as defined in the HIPAA Privacy Rule and described in IU Policy HIPAA-A01.

Notice of Privacy Practices

IU HAAs that are part of the IU health plans or are health care providers shall maintain a Notice of Privacy Practices that explains how they use and disclose (PHI), as well as an individual’s rights and the IU HAA’s legal duties under HIPAA.  

The notice shall be written in plain language and shall include the terms required by HIPAA.
The IU HAA may not use or disclose PHI in violation of the Notice.

Except in an emergency situation, IU HAAs who are direct treatment providers shall do the following:

1. Make a good faith effort to obtain a patient’s written acknowledgment of the Notice by the first date of service.
2. If the IU HAA is unable to obtain an acknowledgment, the IU HAA shall document the good faith efforts taken and the reason the acknowledgment was not obtained, if known.
3. In addition, the IU HAA shall post the Notice in a prominent location where it is reasonable for the public to see it, and shall make a copy of the Notice available upon request.

Safeguards

Administrative/Physical

Policies

• The IU HIPAA Privacy and Security Office will create, review and update University level HIPAA policies.
• IU HAAs shall comply with the University level HIPAA policies.
• IU HIPAA policies will be reviewed at least every two (2) years or when there is a change in the regulations. 

IU HAAs shall have administrative and physical safeguards to protect health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, other requirements of HIPAA or University HIPAA policies. 

IU HAAs shall reasonably safeguard protected health information to limit incidental uses or disclosures.

IU HAAs shall limit the protected health information access, used or disclosed to the minimum necessary to accomplish their goal.

Technical

IU HAAs shall periodically complete a Risk Analysis as required under the HIPAA Security Rule.

IU HAAs shall use the risk analysis to determine a Risk Management plan.

IU HAAs shall ensure all workforce who may use mobile devices to access PHI understand their responsibilities

IU HAAs shall ensure all workforce members understand their obligations to comply with IT 12.1 as applicable.

IU HAAs shall implement written policies and procedures to ensure these safeguards are in place.

HIPAA Training

IU HAAs shall train each new member of the workforce within a reasonable period of time (based on their role) after the person joins the workforce, but no longer than 90 days from the initial employment date.

IU HAAs shall require all workforce members to complete HIPAA Privacy and Security Training on an annual basis.

IU HAAs shall also train each member of the workforce whose functions are affected by a material change in the policies or procedures, within a reasonable period of time after the material change becomes effective. 

IU HAAs shall document training has been provided to each member of the workforce and report to the University HIPAA Privacy Officer annually.

To support this policy, the IU HAA shall develop and implement a training program for the workforce members or offer the option of an approved E Training module.

Business Associates

Authorized members of the IU HAA workforce may disclose protected health information (PHI) to a business associate (BA), if the IU HAA has obtained satisfactory assurance that the BA will appropriately safeguard the information.

IU HAA may also permit a BA to create or receive PHI on the IU HAA’s behalf. 

The IU HAA shall document the satisfactory assurances through a fully executed agreement with the BA that meets the requirements of the HIPAA Privacy Rule. The required language may be incorporated into the service agreement or in a separate business associate agreement. 

Limited Data Set

IU HAAs shall use data in the form of a limited data set when possible for the purposes of research, public health and health care operations.

IU HAAs will execute a Data Use Agreement or similar agreement when data are shared in the form of a limited data set, even when shared internally.

Data Use Agreements must be signed by the University HIPAA Privacy Officer as the authorized university official.

Sanctions

IU HAAs shall follow IU’s disciplinary policies including IU’s Corrective Action Policy. 

IU HAAs shall follow HIPAA-G01 HIPAA Sanctions Guidance.

Back to top

Procedures

The reason for this policy is to ensure that the General Administrative Requirements under HIPAA are addressed and implemented.

Back to top

Sanctions

See HIPAA Glossary for a complete list of terms.

Back to top

Additional Contacts

IU HAAs shall follow IU’s disciplinary policies including IU’s Corrective Action Policy. 

IU HAAs shall follow HIPAA-G01 HIPAA Sanctions Guidance.

Back to top