Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 13 - Administrative Requirements

 

Title: Personnel Designations Policy: PRV-13.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(a)(1) & (2)
Standard: Personnel Designations Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish, as required, a Privacy Official, and an individual who is to receive complaints.

Policy
  1. OSU must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.  §164.530(a)(1)
    1. OSU must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by § 164.520.  §164.530(a)(1)(ii)
  2. OSU must document the personnel designations in paragraph (1) of this policy as required by §164.530(j).  §164.530(a)(2)
Procedure

The designated Senior Privacy Official for OSU-CHS is the HIPAA Compliance Officer.  This individual is responsible for the development and implementation of the policies and procedures of OSU.  §164.530(a)(1)(i)
The HIPAA Compliance Officer may designate an individual(s) in his/her absence.  The contact information is:

OSU HIPAA Compliance Office
                        717 South Houston, Suite 506
                        Tulsa, OK 74127
Or by calling:   918-586-4545
Or by emailing chs.privacy@okstate.edu

The HIPAA Compliance Officer is responsible for receiving complaints regarding HIPAA and the administration of HIPAA within OSU.  The Manager of the HIPAA Compliance Office can provide additional information about matters concerning any aspect of the OSU HIPAA Compliance plan.  §164.530(a)(ii)

These designations shall be approved by the HIPAA Steering Committee and kept in meeting minutes.


top of page top

 

Title: Training Policy: PRV-13.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(b)(1)
Standard: Training Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel

Revised: 7/1/2013
Revisions approved by OSU CHS executive team: December 2016

Purpose

To ensure that the OSU CHS workforce (including but not limited to faculty, staff, contracted providers, residents, medical students and volunteers) receives training on HIPAA regulations, policies and procedures on the use and disclosure of PHI, as well as training on electronic applications that store, process or transmit PHI, as necessary and appropriate for members of the workforce to carry out their work responsibilities.

Policy
  1. All members of the OSU CHS workforce must complete HIPAA training at the time of initial employment or association with OSU CHS, at least annually thereafter, when HIPAA regulations or policies change and when otherwise requested by the Compliance Committee.
    1. New members of the workforce may not access PHI until HIPAA training is completed.
    2. Supervisors must verify completion of annual HIPAA training at the time of annual performance evaluations.
    3. HIPAA training from other organizations may be accepted in place of OSU CHS HIPAA training when approved by the OSU CHS Compliance Committee.
    4. Adjunct professors who are employed 50% or less and do not access PHI at OSU may receive an exemption from HIPAA training, as determined by the OSU CHS Compliance Committee.
  2. All members of the OSU CHS workforce who utilize electronic applications that store, process or transmit PHI must complete training for these applications prior to being granted access.
  3. OSU CHS must maintain documentation of training completion for at least 6 years.
  4. Members of the workforce who do not complete HIPAA training as required will be sanctioned according to Human Resources, Compliance, Student Affairs or other applicable policies.
Procedure
  1. Workforce Members
    1. At the time of initial employment or other association with OSU, workforce members will be required to complete HIPAA training.
      1. The workforce member’s Supervisor will ensure that HIPAA training is completed within 3 days of employment or other association with OSU and before the workforce member is allowed to access PHI.
      2. OSU medical students will take the training at the time of new student orientation or when otherwise assigned to the academic class by the Compliance Office.
    2. Workforce members, including medical students, will repeat HIPAA training on at least an annual basis, as determined by the OSU CHS Compliance Committee.
  2. A member of the workforce will not be given access to an electronic application that stores, processes or transmits PHI until the workforce member has successfully completed training for the application.
  3. OSU will maintain documentation of training completion for at least 6 years.
  4. Noncompliance with this policy will be addressed by the Compliance Committee, Human Resources, Student Affairs and any applicable policy as appropriate.

top of page top

 

Title: Safeguards Policy: PRV-13.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(c)(1)
Standard: Safeguards Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish necessary safeguards to help protect PHI.

Policy

OSU must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.  §164.530(c)(1)

OSU must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of the Privacy Rule.  §164.530(c)(2)(ii)

OSU must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.  §164.530(c)(2)(ii)

Procedure

OSU will adhere to all required HIPAA standards, implementation specifications and any other requirements, along with HITECH requirements by documenting the various policies and procedures, and performing the necessary audits, risk assessments, risk analysis, conducting workforce training and implementing sanctions as needed to determine adherence to said policies.


top of page top

 

Title: Complaints to the Covered Entity Policy: PRV-13.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(d)(1)
Standard: Complaints to the Covered Entity Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify methods that an individual or employee may file a complaint against OSU

Policy
  1. OSU must provide a process for individuals to make complaints concerning OSU’s policies and procedures required by the Privacy Rule and the Breach Notification Rule or its compliance with such policies and procedures or the requirements of the Privacy Rule and the Breach Notification Rule.  §164.530(d)(1)
  2. As required by paragraph (j) of §164.530 Documentation, OSU must document all complaints received, and their disposition, if any.  §164.530(d)(2)
Procedure

The HIPAA Compliance Office shall be responsible for documentation and retention of any and all such complaints.  These shall be maintained within the HIPAA Compliance Office.  These documents will include correspondence, responses, and remedies under these policies.  §164.530(d)(2)

  • Complaints Filed by Patients
    Written complaints should be sent to the Privacy Officer at the address listed below:

    HIPAA Compliance Office               
    717 South Houston, Suite 506                                   
    Tulsa, OK  74127

If an individual wishes to make a complaint in person, please call the HIPAA Hotline listed below to schedule an appointment with the Privacy Officer, or to make the complaint over the phone.

HIPAA Hotline          918-586-4545

  • Employee Report of Concern

    Employees may contact the HIPAA Compliance Officer to file a Report of Concern.   Please use the Employee Report of Concern form located here.  Complete the form and send or deliver to the HIPAA Compliance Officer.  Reports may also be made via email to the HIPAA Compliance Officer.  Be sure to include as much detail as possible when describing the incident or area of concern.

    Employees may email the HIPAA Compliance Office at chs.privacy@okstate.edu

    Employees may also file a report via an online reporting tool called Ethics Point.  A link to this site may be found on the HIPAA homepage: http://centernet.okstate.edu/compliance/

    All reports may be anonymous.  The OSU HIPAA Compliance Office will make every effort to ensure anonymity, but it may not always be possible depending on the circumstances of the incident.
Reference

ENF-00.01 Complaints to the Secretary


top of page top

 

Title: Sanctions Policy: PRV-13.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(e)(1), 164.308(a)(1)(ii)(c)
Standard: Sanctions Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

This policy covers the possible sanctions against OSU workforce members who fail to comply with the policies and procedures of this organization in regards to HIPAA.          

Policy

OSU will apply appropriate sanctions against workforce members who fail to comply with the HIPAA policies and procedures of OSU.  §164.308(a)(1)(ii)(C)

This policy does not cover the subject of sanctions taken by the regulating agencies against OSU.  It does not apply to employees with respect to actions or disclosures of whistle blowers or victims of crime.

Sanctions will be consistent with existing OSU policy and procedures regarding discipline in the workplace.   Sanctions are made at the discretion of administration and may range from a verbal warning to termination of employment.

OSU will maintain documentation of all sanction policies.  Training will be provided to all employees for clarification purposes.  Training records will be maintained in the HIPAA Compliance Office and/or designated locations. 

Violations and sanctions will be documented and maintained in the employees’ personnel file.

OSU employees are protected from intimidation, threats, coercion, discrimination, or other retaliatory actions for filing a complaint with the Secretary of Health and Human Services (HHS) under subpart C of part 160, the Enforcement Rule.

There are many types of a breach or violations of HIPAA.  Some common examples that an individual may receive sanctions for, include but are not limited to:

  • Discussing patient information in a public area.
  • Leaving a copy of patient information in a public area.
  • Leaving a computer unattended in an accessible area with Protected Health Information (PHI) unsecured.
  • Accessing and viewing the record of a patient out of curiosity or concern (coworker, supervisor, public personality, own medical record, etc.).
  • Releasing information without appropriate authorization, to include discussion about a patient not related to direct patient care.
  • Removing any document with PHI, whether paper (including but not limited to medical record, schedules, test results, or EOB) from the premises that is not applicable to Treatment, Payment or Operations (TPO).
  • Violating passwords or log-on policy.
  • Removal of equipment or any computer device containing ePHI (including but not limited to disks, flash drives, or email).
  • Maintaining ePHI in unsecure areas outside of a network storage drive.
  • Reviewing patient records to use information for personal relationship (including but not limited to accessing birthdate or address)
  • Compiling a mailing list of patients for personal use or financial gain.
  • Sale of any PHI to an individual, company, or corporation.
  • Caused or participated in any theft or compromise of PHI.
  • Failure to report a known or suspected HIPAA violation of oneself or a coworker.

All breaches and/or violations of HIPAA and/or OSU policy are eligible for sanctions against the employee(s) involved, whether they know or should have known about the issue.

Depending on the severity of the offense all breaches and/or violations may receive any of the following sanctions:

  • Verbal warning and retraining
  • Plan of Corrective Action
  • Warning letter with plan of corrective action with a notice of possible termination
  • Revocation of system access
  • Suspension without pay
  • Termination
  • Reports to law enforcement, licensing agencies or other officials as necessary.

The level of sanctions for all breaches/violations depends on the size, scope, intent and the employee’s prior history.  Employees in a supervisory role will be held to a higher standard.

Procedure
  1. All employees are obligated to report any known or suspected breach or violation of HIPAA or OSU policy.
  2. All reports are to be made to the HIPAA Compliance Officer either via phone, in person, email, or ethicspoint.
  3. If a report is made to any other individual besides the HIPAA Compliance Officer or his/her designee, that individual must report it to the HIPAA Compliance Officer.  For example, a report is made to a supervisor; the supervisor shall report the issue to the HIPAA Compliance Officer.
  4. Upon notification of a possible or suspected breach or violation, the HIPAA Compliance Officer will conduct an investigation without unreasonable delay.
  5. The HIPAA Compliance Officer may enlist the help of the Department of Information Technology, Human Resources, the HIPAA Steering Committee, OSU General Counsel, Outside Legal Counsel, Administration, the Office of the President of OSU, and the State Board of Regents if need be.
  6. As part of the investigation, the HIPAA Compliance Officer will take into account the following four factors:
    1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
    2. The unauthorized person who used the PHI or to whom the disclosure was made;
    3. Whether the PHI was actually acquired or viewed; and
    4. The extent to which the risk to the PHI has been mitigated.
  7. Upon completion of the investigation, the HIPAA Compliance Officer will write a report, detailing the events of the issue, without further disclosing any PHI, and provide recommendations as to how to resolve and mitigate the issue.
  8. The report will be kept on file in the HIPAA Compliance Office and sent to Human Resources, where sanctions will be determined.  Please see above list of possible sanctions.
  9. The HIPAA Compliance Officer will then notify all affected patients following the procedures in the Breach Notification Policies.
  10. The HIPAA Compliance Officer will meet with the HIPAA Steering Committee to discuss the issue and address the mitigation of the now known problem, if needed.
  11. At any time throughout this process, a report to law enforcement or a licensing or regulatory agency may be made at the discretion of Administration.
Reference

SEC-01.03


top of page top

 

Title: Mitigation Policy: PRV-13.06
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.512(f)
Standard: Mitigation Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To identify what is required by OSU to mitigate an issue either in an attempt to prevent or after an event has occurred.
Policy

OSU must mitigate, to the extent practicable, any harmful effect that is known to OSU of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of Privacy Rule by OSU or its business associate.  §164.530(f)

Procedure
  1. In an effort to prevent any undesirable use or disclosure of protected health information, OSU shall follow its own policies and procedures, which shall include, but not limited to:
    1. Workforce training
    2. Risk Analysis
    3. Risk Assessment
    4. Periodically review policies and procedures
    5. Sanctions as needed
    6. Keep up to date on regulatory standards and changes
    7. Enlist the help of the Information Technology Department to ensure network and computer security.
  2. If an undesirable event occurs, whether the event is an actual breach of protected health information, or something less than the legal definition of a breach, OSU shall follow the Breach Notification Rule Policies to the extent necessary to find the root problem and take the necessary steps to fix.
Reference

Breach Notification Policies
Subpart D of §164


top of page top

 

Title: Refraining from Intimidating or Retaliatory Acts Policy: PRV-13.07
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(g)
Standard: Refraining from Intimidating or Retaliatory Acts Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To establish that OSU and its agents shall not retaliate or pose intimidation of any kind to anyone who exercises their right under the HIPAA.
Policy

Oklahoma State University…

  1. May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by the Privacy Rule and the Breach Notification Rule, including the filing of a complaint under this section of Policies; and  §164.530(g)(1)
  2. Must refrain from intimidation and retaliation as provided in § 160.316 Refraining from Intimidation or Retaliation.  §164.530(g)(2)
  3. It is also prohibited for any OSU Agent to retaliate against any individual or others for filing a complaint with the Secretary of Health and Human Services; testifying, assisting or participating in an investigation, compliance review, proceeding or hearing as defined under Part C of Title XI.
  4. It is also prohibited for any employee to retaliate against any individual or others for opposing any act of practice made unlawful by HIPAA provided the individual or person has a good faith belief that the practice opposed is unlawful and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of 164.530(g).
Procedure
  1. If any OSU Agent does retaliate, OSU must and will follow HIPAA guidelines and protect the employee who was retaliated against by any legal means necessary.  The individual who performed the retaliatory act will be subject to OSU sanctions, and any civil and/or criminal penalties deemed appropriate by OSU and/or the Judicial Branch of the United States Government depending on the severity of the retaliation.
  1. OSU as an institution shall not intimidate or retaliate against anyone who exercises their right given to them under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

top of page top

 

Title: Waiver of Rights Policy: PRV-13.08
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(h)
Standard: Waiver of Rights Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To establish that OSU can’t ask anyone to give up rights provided them under HIPAA

Policy

OSU may not require individuals to waive their rights under §160.306 Complaints to the Secretary, the Privacy Rule, or the Breach Notification Rule, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.  §164.530(h)

Procedure

OSU and its Agents shall not ask any individual or require any individual to waive their rights as stated in this policy for any reason.  Any OSU Agent caught asking or requiring an individual to waive their rights shall face swift and severe sanctions. 


top of page top

 

Title: Policies and Procedures Policy: PRV-13.09
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(j)(2)
Standard: Policies and Procedures Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify and document how changes to policy are handled.

Policy

OSU must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of the Privacy Rule and the Breach Notification Rule. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of the Privacy Rule.  §164.530(i)(1)

Procedure
  1. OSU shall keep policies and procedures on all applicable items in:
    1. 45 CFR §160 – Applicable Subparts only
    2. 45 CFR §162 – Applicable Subparts only
    3. 45 CFR §164
      1. Subparts A, C, D, E
  2. These policies will be maintained by the HIPAA Compliance Officer and the master copies shall be kept in a secure location on the network.
  3. All policies and procedures shall be reviewed no less than on an annual basis, or as changes to laws and regulations require, whichever is most frequent.
  4. All old policies shall be kept on file for 6 years.

top of page top

 

Title: Changes to Policies and Procedures Policy: PRV-13.10
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.530(j)(2)
Standard: Changes to Policies and Procedures Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose
To identify and document how changes to policy are handled.
Policy
  1. OSU must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of the Privacy Rule and the Breach Notification Rule.  §164.560(i)(2)(i)
  2. When OSU changes a privacy practice that is stated in the notice described in §164.520, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, OSU has, in accordance with §164.520(b)(1)(v)(C), included in the notice a statement reserving its right to make such a change in its privacy practices; or  §164.560(i)(2)(ii)
  3. OSU may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (6) of this policy.  §164.560(i)(2)(iii)
  4. Changes in Law - Whenever there is a change in law that necessitates a change to OSU’s policies or procedures, OSU must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by §164.520, OSU must promptly make the appropriate revisions to the notice in accordance with §164.520(b)(3). Nothing in this paragraph may be used by OSU to excuse a failure to comply with the law.  §164.560(i)(3)
  5. Changes to Privacy Practices State in the Notice –   §164.560(i)(4)
    1. To implement a change as provided by paragraph (2) of this policy, OSU must:  §164.560(i)(4)(i)
      1. Ensure that the policy or procedure, as revised to reflect a change in OSU’s privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of the Privacy Rule;  §164.560(i)(4)(i)(A)
      2. Document the policy or procedure, as revised, as required by paragraph (j) of §164.530 Documentation; and  §164.560(i)(4)(i)(B)
      3. Revise the notice as required by §164.520(b)(3) to state the changed practice and make the revised notice available as required by §164.520(c). OSU may not implement a change to a policy or procedure prior to the effective date of the revised notice.  §164.560(i)(4)(i)(C)
    1. If OSU has not reserved its right under §164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, then OSU is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. OSU may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that:  §164.560(i)(4)(ii)
      1. Such change meets the implementation specifications in paragraph (5) of this policy; and  §164.560(i)(4)(ii)(A)
      2. Such change is effective only with respect to protected health information created or received after the effective date of the notice.  §164.560(i)(4)(ii)(B)
  1. Changes to other Policies or Procedures - OSU may change, at any time, a policy or procedure that does not materially affect the content of the notice required by §164.520, provided that:  §164.560(i)(5)
    1. The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of the Privacy Rule; and  §164.560(i)(5)(i)
    2. Prior to the effective date of the change, the policy or procedure, as revised, is documented as required by paragraph (j) of §164.530 Documentation.  §164.560(i)(5)(ii)
Procedure

When a change to policy occurs, the compliance office will retire the original policy and replace it with the updated policy and procedure.  The compliance office will maintain all policies, both current and retired, for a minimum of 6 years for documentation purposes.  Implementation of updated policies will include distribution of the updated policy to all areas with training requirements when there is a material change to the policy.

OSU has stated in its Notice of Privacy Practices that OSU does reserve the right to changes it practices at any time and as such may change its policies at any time.  The effective date of such changes cannot be before the effective date of the legal requirement which the change is based on.

If the change in policy and procedure is based on a procedural issue, OSU reserves the right to change that process at any given time regardless of whether or not a legal change has occurred to warrant the change in process.


top of page top

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube