Compliance with HIPAA Policies and Procedures at Another Covered Entity
About This Policy
- Effective Date:
- Responsible University Office:
- HIPAA Privacy and Security Compliance Office
- Responsible University Administrator:
- Vice President for University Clinical Affairs
This policy applies to all personnel, who create, access or store Protected Health Information (“PHI”) under the auspices of a Covered Entity outside of Indiana University, designated for purposes of complying with the final provisions of the security and privacy rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Indiana University’s faculty, staff, residents, fellows and students respect the privacy of all individuals and strives to implement measures to protect privacy consistent with the mission and environment, applicable legal requirements and professional standards, generally accepted privacy norms, and available resources.
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities.
All Indiana University faculty, staff, residents, and fellows must comply with the policies and procedures of the respective covered entity when working within a covered entity which is not part of Indiana University.
All Indiana University students must comply with the policies and procedures of the respective covered entity that are applicable to the students’ clinical experience while within a covered entity which is not part of Indiana University.
All Indiana University faculty, staff, residents, fellows and students who are exposed to or acquire another covered entity’s confidential and/or patient information, including but not limited to individually identifiable health information (“IIHI”) and protected health information (“PHI”), as both are defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR §1601.101 et seq., must, at a minimum, (i) comply with the provisions of HIPAA; and (ii) comply with the covered entity’s confidentiality agreement.
Solely for the purpose of defining Indiana University’s faculty, staff, residents, fellows and students’ role in relation to the use and disclosure of another covered entity’s PHI, such individuals are defined as members of the covered entity’s workforce, as that term is defined by 45 CFR 160.103, when engaged in certain activities such as treatment, healthcare operations or students’ clinical experience. However, such individuals are not and shall not be considered to be employees of that covered entity.
This policy does not apply when conducting research under the auspices of Indiana University. Researchers and members of the research team must comply with Indiana University’s HIPAA policies and procedures, the policies and procedures established by Indiana University’s Institutional Review Boards as well as the requirements under the Common Rule.