Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 0 - Applicability and Definitions

 

Title: Applicability-Privacy Rule   Policy: PRV-00.00
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.500(a)
Standard: Applicability Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify how the HIPAA Privacy Rule applies to OSU. 

Policy

(a) Except as otherwise provided herein, the standards, requirements, and implementation specifications of this subpart (Privacy Rule) apply to covered entities with respect to protected health information.  §164.500(a)

(b) Health care clearinghouses must comply with the standards, requirements, and implementation specifications as follows:  §164.500(b)

(1) When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, the clearinghouse must comply with:  §164.500(b)(1)

(i) Section 164.500 relating to applicability;  §164.500(b)(1)(i)

(ii) Section 164.501 relating to definitions;  §164.500(b)(1)(ii)

(iii) Section 164.502 relating to uses and disclosures of protected health information, except that a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information;  §164.500(b)(1)(iii)

(iv) Section 164.504 relating to the organizational requirements for covered entities;  §164.500(b)(1)(iv)

(v) Section 164.512 relating to uses and disclosures for which individual authorization or an opportunity to agree or object is not required, except that a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information;  §164.500(b)(1)(v)

(vi) Section 164.532 relating to transition requirements; and  §164.500(b)(1)(vi)

(vii) Section 164.534 relating to compliance dates for initial implementation of the privacy standards.  §164.500(b)(1)(vii)

(2) When a health care clearinghouse creates or receives protected health information other than as a business associate of a covered entity, the clearinghouse must comply with all of the standards, requirements, and implementation specifications of the Privacy Rule.  §164.500(b)(2)

(c) Where provided, the standards, requirements, and implementation specifications adopted under this Privacy Rule apply to a business associate with respect to the protected health information of a covered entity.  §164.500(C)

(d) The standards, requirements, and implementation specifications of the Privacy Rule do not apply to the Department of Defense or to any other federal agency, or non-governmental organization acting on its behalf, when providing health care to overseas foreign national beneficiaries.  §164.500(d)

Procedure

OSU will adhere to all applicable rules and regulations under the Privacy Rule.  OSU does operate a Clearinghouse and as such will also adhere to these standards.

OSU will keep on file a copy of all Business Associate Agreements for our Clearinghouse Function.


top of page top

 

Title: Definitions Policy: PRV-00.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.501; 160.103
Standard: Definitions Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To provide definitions used in HIPAA and within OSU Policies and Procedures

Policy
  1. Provide definitions of terminology used in relation to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and in relation to the Health Information Technology for Economic and Clinical Health Act (HITECH).

    OSU adopts all definitions of terminology in the various sections and subparts of HIPAA and HITECH including but not limited to:

    HIPAA SECTIONS:  §160.103; §160.202; §160.401; §160.502; §162.103; §164.103; §164.304; §164.402; §164.501; §164.504(a);
    HITECH SECTION:  3000 (Starting on Page 3)

    In the event definitions change, OSU will use the definitions only in their respective effective periods.  In the event a term or terms have been left off this list, it is inadvertent and will be considered human error.  OSU adopts all legal definitions of all HIPAA terms.

    The definitions found in the various sections include:


    • Correctional Institution
    • Data Aggregation
    • Designated Record Set
    • Direct Treatment
    • Health Care Operations
    • Health Oversight Agency
    • Indirect Treatment
    • Inmate
    • Marketing
    • Financial Remuneration
    • Payment
    • Psychotherapy Notes
    • Public Health Authority
    • Research
    • Treatment
    • Act
    • Administrative Simplification Provision
    • Business Associate
    • Civil Monetary Penalty
    • CMS
    • Compliance Date
    • Covered Entity
    • Disclosure
    • EIN
    • Electronic Media
    • Electronic Protected Health Information
    • Employer
    • Family Member
    • Genetic Test
    • Group Health Plan
    • Health Care Clearinghouse
    • Health Care Provider
    • Health Information
    • Health Insurance Issuer
    • Health Maintenance Organization
    • Health Plan
    • Implementation Specification
    • Individual
    • Individually Identifiable Health information
    • Modify or Modification
    • Organized Health Care Arrangement
    • Person
    • Protected Health Information
    • Respondent
    • Small Health Plan
    • Standard Setting Organization
    • State
    • Subcontractor
    • Trading Partner
    • Transaction
    • Use
    • Violation
    • Workforce
    • Contrary
    • More Stringent
    • Relates to the Privacy of Individually Identifiable Health Information
    • State Law
    • Reasonable Cause
    • Reasonable Diligence
    • Willful Neglect
    • Board
    • Code Set
    • Code Set Maintaining Organization
    • Controlling Health Plan
    • Covered Health Care Provider
    • Data Condition
    • Data Content
    • Data Element
    • Data Set
    • Descriptor
    • Designated Standard
    • Direct Data Entry
    • Format
    • HCPCS
    • Maintain or Maintenance
    • Maximum Defined
    • Operating Rules
    • Segment
    • Stage 1
    • Standard Transaction
    • Subhealth Plan
    • Common Control
    • Common Ownership
    • Covered Functions
    • Health Care Component
    • Hybrid Entity
    • Law Enforcement Official
    • Plan Sponsor
    • Required by Law
    • Access
    • Administrative Safeguards
    • Authentication
    • Availability
    • Confidentiality
    • Encryption
    • Facility
    • Information System
    • Integrity
    • Malicious Software
    • Password
    • Physical Safeguards
    • Security or Security Measures
    • Security Incident
    • Technical Safeguards
    • User
    • Workstation
    • Breach
    • Unsecured Protected Health Information
    • Plan Administration Functions
    • Summary Health Information
    • Certified EHR Technology
    • Enterprise Integration
    • Health Care Provider
    • Health Information
    • Health Information Technology
    • Health Plan
    • HIT Policy Committee
    • HIT Standards Committee
    • Individually Identifiable Health Information
    • Laboratory
    • National Coordinator
    • Pharmacist
    • Qualified Electronic Health Record
    • State
Reference

BRE-01.00 Policy


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube