Penn State - Administrative
To describe the University's responsibilities under the Privacy Rule and related regulations issued under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
This policy is applicable to all University academic and administrative units except the College of Medicine and applies to all units determined to be covered under the Privacy Rule and related regulations issued under the HIPAA Act of 1996.
The Pennsylvania State University is considered a hybrid entity under HIPAA as a covered organization whose activities include both covered and non-covered functions. As such, the University has identified specific Health Care Components (covered components) that are required to meet specific standards under the act as participants in the delivery of health care, paying for health care, and providing operational support for health care services. In addition, units providing services and support functions to those units involved in treatment, payment, and health care operations must meet specific requirements under the Act.
The following units at Penn State are designated as covered components:
- University Health Services, Student Affairs
- Financial Office, Student Affairs
- Psychological Clinic, Department of Psychology, College of Liberal Arts
- Financial Office, College of Liberal Arts
- Penn State Health Plans, Office of Human Resources
- Records Center, Department of Document Services, Auxiliary and Business Services
- Waste Management Program, Office of Physical Plant
- Central Support Services, Office of Physical Plant
- Penn State Privacy Office
- Internal Auditing, Corporate Controller's Office
- Counseling and Psychological Services (CAPS), Student Affairs
Covered components of Penn State University and their individual employees, students and volunteers must comply with the following privacy practices in the use and disclosure of protected health information as required by the privacy rules and regulations of HIPAA.
Protected Health Information (PHI). Individually identifiable health information that is collected from an individual, created or received by a health care provider, health plan, or other employee of one of the covered components of Penn State, is confidential and must be treated as information protected under HIPAA. Protected health information is individually identifiable health information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
Information obtained by those involved in providing health care will be recorded in a medical record and used to determine the course of treatment. Other members of the health care team may use this record to help in treatment and in order to coordinate the different things individuals might need, such as prescriptions, lab work, and x-rays. If an individual is referred to another clinician or hospital, information regarding their visit may be shared with these health care providers.
Health care personnel may use PHI to create a bill to be sent to an individual patient or a third-party payer like an insurance company. The information on or accompanying the bill may include information that identifies the individual, as well as a diagnosis, procedures, and supplies used.
Standard Electronic Transactions
Units routinely billing for their services, performing transactions covered under HIPAA, and performing those transactions electronically must comply with the standard transaction code sets of HIPAA.
Quality Improvement Activities
Members of the clinical staff, the risk or quality improvement manager, or members of the quality improvement team may use PHI to assess the care and outcomes in a case and others like it. Covered components may use PHI to review treatment and services and to evaluate the performance of staff involved in providing care to patients.
Minimum Necessary Disclosure
Any information disclosed must be limited to the amount reasonably necessary to achieve the purpose of the disclosure. Standard criteria should be developed so staff can review requests for disclosure on an individual basis in accordance with those standard criteria.
Security of PHI
All covered components and members of their workforce (employees, students, and volunteers) must take appropriate and reasonable measures to safeguard the integrity, confidentiality, and availability of PHI. Specifically, these units must assess the needs for such safeguards, select and implement protections appropriate for the unit, and collaborate with the Penn State University Privacy Office in the process of assessing and implementing such safeguards. These safeguards must protect PHI from any intentional or unintentional use or disclosure that is a violation of the standards contained in this policy. (Related policies AD20, AD23, ADG01, ADG02)
Develop Access Control of PHI
All covered components must develop policies that identify the types of persons within their unit that need access to PHI and the specific PHI to which they need access.
Notice of Privacy Practices
Each covered component that has a direct treatment relationship with an individual must provide a Notice of Privacy Practices (the "Notice") to such individual upon the first delivery of services following the effective date of this policy. If the first delivery of services is an emergency situation, the Notice may be provided as soon as reasonably practical. The covered component must make a good faith effort to obtain a written acknowledgment that a Notice was provided, and if not obtained, the good faith efforts to obtain the individual's acknowledgment and why it was not obtained. The Notice must be readily available at all practice sites of covered components for distribution upon request, and must be posted for public view at an easily visible location.
Use of Support Services from Outside Vendors
A Covered Component may need to contract or otherwise arrange for services of a business, organization, or an individual who is not employed by the University (a "vendor") in order to perform tasks or services in support of the operations of the Covered Component. If the vendor will have access to PHI in the course of performing such services, a Business Associate Agreement between Penn State and the vendor must be in place prior to commencement of work. The Penn State Privacy Office is responsible for the preparation and processing of Business Associate Agreements, and a Covered Component or the Office of Purchasing Services must notify the Privacy Office of proposed vendor arrangements.
Access to PHI by Other University Units and Employees
A Covered Component may not disclose PHI, or allow the opportunity for access to PHI, to any Penn State employee who is not assigned to work in a Covered Component as designated in Part I of this policy, unless (a) such disclosure or access is necessary for the treatment of patients, for obtaining payment for services, or for the operation of the Covered Component, (b) such disclosure or access has been approved for research in accordance with Policy RA22, or (c) such disclosure or access is authorized in advance by the Privacy Officer.
Disposal of Paper and Electronic Records and Media Containing PHI
Covered components must establish safeguards for disposal of paper and electronic records and media containing PHI. If covered components do not shred paper products internally in a secure manner, and outside services are required, the Covered Component must use the Office of Physical Plant Blue Bag Program. If alternate methods are used, they must be approved by the Privacy Officer. The methods of disposal of electronic records and media must meet standards established by the Office of Security Operations and Services. Personal computers and servers containing PHI may only be disposed of in accordance with the procedures established by the Office of Security Operations and Services.
Covered components cannot use or disclose PHI for purposes of research, except as approved by the Office of Research Protections (See Policy RA22). This restriction applies to research proposed by Penn State faculty, staff and students, as well as to research proposed by any other person or organization. Certain exceptions may exist for PHI obtained by a researcher prior to the effective date of this Policy, as determined by the Office of Research Protections.
Covered components may disclose an individual's PHI in accordance with the terms of a written and signed authorization furnished by that individual. The approved Authorization Form can be obtained from the Privacy Office, and must be used for this purpose unless the Privacy Office has granted approval for use of another document.
As Required by Law
Covered components will disclose PHI about individuals when required to do so by federal, state or local law.
To Avert A Serious Threat to Health and Safety
Covered components may use and disclose PHI about individuals when necessary to prevent a serious threat to the individual's health and safety or the health and safety of the public or another person. Any disclosure to prevent a serious threat to health and safety may only be to someone able to help prevent that threat.
Individuals Involved in a Patient's Care
In life threatening/extreme emergency situations, covered components may use or disclose PHI to notify, or assist in notifying a family member, personal representative, or another person responsible for the care of another individual, regarding the location and general condition of the individual. Covered components may release PHI about individuals to a friend or family member who is involved in the health care of an individual. In addition, covered components may disclose PHI about the individual to an organization assisting in a disaster relief effort so that the individual's family can be notified about their condition, status and location. Individuals must be provided the opportunity to agree to, prohibit or restrict the use or disclosure of PHI to those organizations and individuals described in this section (III, D).
Public Health Risks
Covered components may disclose PHI for public health activities. These activities generally include the following:
- to prevent or control disease, injury or disability
- to report births and deaths
- to report child abuse or neglect
- to report reactions to medications or problems with products
- to notify people of recalls of products they may be using
- to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
- to notify the appropriate government authority if an individual has been the victim of abuse, neglect or domestic violence. This disclosure may occur only if the individual agrees or when required or authorized by law.
Health Oversight Activities
PHI may be disclosed by covered components to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Military and Veterans
PHI about members of the United States armed forces or foreign military personnel as requested by military command authorities to assure the proper execution of the military mission, may be disclosed by covered components. This disclosure may occur only if the appropriate military authority has published a notice in the Federal Register with the following information:
- appropriate military command authorities or the appropriate foreign military authority, and;
- purposes for which the protected PHI may be issued or disclosed.
PHI may be disclosed by covered components to the extent authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs established by law.
Lawsuits and Disputes
PHI may be disclosed by covered components in connection with a lawsuit or dispute in response to a court or administrative order. Covered components may also disclose medical information in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute. Covered components may use and disclose PHI in defending or asserting a lawsuit involving an individual's treatment by a Covered Component.
PHI may be disclosed by covered components if asked to do so by a law enforcement official:
- in response to a court order, subpoena, warrant, summons or similar process
- to identify or locate a suspect, fugitive, material witness, or missing person
- about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement
- about a death we believe may be the result of criminal conduct
- about criminal conduct, and
- in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
National Security and Intelligence Activities
PHI may be disclosed by covered components to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Protective Services of the President of the United States and Others
PHI may be disclosed by covered components to authorized federal officials so they may provide protection to the President of the United States, other authorized persons or foreign heads of state or conduct special investigations.
PHI may be disclosed by covered components about inmates of a correctional institution or under the custody of a law enforcement official to the correctional institution or law enforcement official. This information may be disclosed if it is necessary for the institution to provide the inmate with health care; to protect the inmate's health and safety or the health and safety of others, or; for the safety and security of the correctional institutions.
Coroners, Medical Examiners and Funeral Directors
PHI may be disclosed by covered components to a coroner or medical examiner. This may be necessary to identify a deceased person or to determine the cause of death. In addition, covered components may disclose health care information to funeral directors as necessary to carry out their duties.
Accounting for Disclosures
Units covered by this policy must have systems in place for the accounting of disclosures of PHI.
Individuals have the following rights regarding PHI that covered components maintain about the individual:
Right to Inspect and Copy
Individuals have the right to inspect and copy PHI that may be used to make decisions about their own care. This includes medical and billing records, but does not include psychotherapy notes. To inspect and copy PHI, individuals must submit their request in writing to the unit creating or using that information. If individuals request a copy of the information, the Covered Component may charge a fee for the costs of copying, mailing or other supplies associated with the request. The Covered Component may deny a request to inspect and copy in certain very limited circumstances. If an individual is denied access to PHI, they may request that the denial be reviewed. Another licensed health care professional chosen by Penn State University will review the request and the denial. The person conducting the review will not be the person who denied the original request.
Right to Amend
If an individual feels that PHI the Covered Component has about them is incorrect or incomplete, they may ask to amend the information. The individual has the right to request an amendment for as long as the information is kept by or for the Covered Component.
To request an amendment, a request must be made in writing and submitted to the Covered Component responsible for the maintenance of that information. In addition, the individual must provide a reason that supports the request.
Covered components may deny the request for an amendment if it is not in writing or does not include a reason to support the request. In addition, covered components may deny the request if the individual asks to amend information that:
- was not created by the Covered Component, unless the person or entity that created the information is no longer available to make the amendment
- is not part of the PHI kept by or for the Covered Component
- is not part of the information which an individual would be permitted to inspect and copy or
- is accurate and complete.
Right to an Accounting of Disclosures
Individuals have the right to request an accounting of disclosures. This is a list of the disclosures made of PHI about the individual by covered components. This list will not include disclosures made to the requesting individual, disclosures made for the purposes of treatment, payment or health operations or those authorized by the individual.
To request an accounting of disclosures, the individual must submit a request in writing to the Covered Component responsible for that information. The request must state a time period, which may not be longer than six (6) years and may not include dates before April 14, 2003. The request should indicate in what form the individual wants the list (e.g., on paper, electronically). Units may charge individuals for the cost of providing the list. Units must notify individuals of the cost involved and individuals may choose to withdraw or modify their request at that time before any costs are incurred.
Right to Request Restrictions
Individuals have the right to request a restriction or limitation on the PHI used by covered components or disclosed about the individual for treatment, payment or health care operations. Covered components are not required to agree to the individual's request.
Restrictions must be requested in writing to the University unit responsible for the use and disclosure of that information. In the request, the individual must tell the unit (1) what information they want to limit; (2) whether they want to limit use, disclosure or both; and (3) to whom they want the limits to apply, for example, disclosure to a spouse or parent.
Right to Request Confidential Communications
Individuals have the right to request that University personnel communicate with them about health care matters in a certain way or at a certain location. For example, the individual can request that they only be contacted at work. To request confidential communications, individuals must make their request in writing to the unit responsible for this communication. Penn State personnel may not ask the individual the reason for the request. The responsible University unit will accommodate all reasonable requests so long as that request does not violate the other protections specified in this policy or other state or federal law. Any request must specify how or where the individual wishes to be contacted.
Right to a Paper Copy of the Notice of Privacy Practices
The individual has the right to a paper copy of the Notice of Privacy Practices. Individuals may ask covered components to give them a copy of this notice at any time. Even if an individual has agreed to receive the notice electronically, they are still entitled to a paper copy of the notice.
Chief Privacy Officer Designation
The University shall designate a Chief Privacy Officer responsible for implementing and monitoring University compliance with HIPAA.
Health Care Component HIPAA Compliance
Each Covered Component shall assign a staff member of the responsibility for HIPAA compliance and regulatory implementation.
Privacy Office Designation
The Chief Privacy Officer shall administer the program through the University Privacy Office that establishes and enforces University standards related to implementation of HIPAA requirements.
Security standards under HIPAA, when issued, will be coordinated with PSU Computer Network Security Policy AD20, AD23, and ADG02
Business Associate Agreements
The Privacy Office will be responsible for the review and approval of all Business Associate Agreements under HIPAA (track current agreements, modifications and all other activities associated with Business Associate Agreements).
Complaints Under HIPAA
The Privacy Office will be responsible for the implementation and administration of an institutionally based complaint process in compliance with the rules and regulations of HIPAA. Patients may complain directly the Penn State Privacy Office or to the Secretary of Health and Human Services if they believe their privacy rights have been violated. To contact the Penn State Privacy Office, complaints may be directed to:
Chief Privacy Officer
Penn State Privacy Office
103 Rider Building
227 West Beaver Avenue
State College, PA 16801
Employees, students, and volunteers of the units within the covered components of Penn State must receive training to assure their understanding of privacy policies and procedures. This training must be appropriate for the members of the workforce to carry out their function within their employment, educational or volunteering area. Each new member of the covered units' workforce must also be trained within a reasonable period of time after the new staff member begins their employment or activity with the University. In addition, all employees of the covered components must receive training updates when there is a substantial change in the privacy policies that would affect the ability to do their job.
At the conclusion of all training sessions, participants shall sign and date a statement indicating their understanding and agreeing to comply with the privacy policies and procedures of Penn State and other requirements as defined in the training session. This statement shall further include information about the documents provided as part of the training and an acknowledgment of the sanctions for the failure to comply with this policy.
Sanctions for Failure to Comply with this Policy
Failure to comply with the requirements of this policy may result in the imposition of sanctions in accordance with disciplinary policies or labor agreements applicable to University employees, including termination of employment. Students who fail to comply with the requirements of this policy may be subject to imposition of sanctions in accordance with student disciplinary policies, including dismissal from the University.
No Penn State employee may intimidate, threaten, coerce, discriminate against, or take retaliatory action against any person receiving health care or other services for exercising their rights under HIPAA.
Other Policies in this manual should also be referenced, especially the following:
AD20 - Computer and Network Security,
AD23 - Use of Institutional Data,
ADG01 - Glossary of Computer Data and System Terminology,
ADG02 - Computer Facility Security Guideline,
RA22 - HIPAA and Research at Penn State University
RA23 - HIPAA and Research at The Milton S. Hershey Medical Center And Penn State College Of Medicine
Effective Date: April 14, 2003
Date Approved: March 31, 2003
Date Published: April 8, 2003 (editorial change January 22, 2013)
Most recent changes: