Towson University Policy on
Compliance with the Health Insurance Portability and Accountability Act
The policy of Towson University is to comply with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”), to the extent that HIPAA is applicable to the University.
II. Status as Hybrid Entity
Towson University’s activities include both HIPAA covered and non-covered functions. Accordingly, the University has determined that it is a hybrid entity for HIPAA purposes.
III. Required Designations
The University has designated its health care components, and its business associate components (which are included only to the extent that they perform HIPAA covered functions or activities that would make them business associates of a University health care component if the two were separate legal entities). The designated health care components and the designated business associate components are hereafter collectively referred to as “covered components”). The University’s HIPAA privacy officer keeps the current designations. Such designations may be amended from time to time by the privacy officer. (The initial designations are attached as Attachment A.) Other units that perform health care functions may voluntarily choose to comply with or participate in some or all HIPAA requirements, policies or procedures. Such voluntary compliance or participation shall not affect a unit’s status as a non-covered component.
The University has designated a HIPAA privacy officer, who is responsible for the development and implementation of policies and procedures as required by HIPAA. The privacy officer may amend the University’s designation of covered components from time to time, as appropriate. The privacy officer is also designated to receive complaints concerning the University’s HIPAA related policies and procedures and HIPAA compliance and to provide further information about matters covered by the University’s Notice of Information Practices. (The initial designation is attached as Attachment B.)
Each covered component shall designate a privacy coordinator to interact with the privacy officer and coordinate HIPAA compliance within the unit. Documentation of each privacy coordinator designation shall be provided and maintained by the privacy officer.
Each covered component designated as described above is responsible for developing procedures to comply with HIPAA, including appropriate administrative, technical and physical safeguards to protect the privacy of protected health information as required by HIPAA. Each covered component is also responsible for providing the University’s privacy officer with a current copy of the procedures and any forms or other HIPAA related documents. The privacy officer may require a health care component to change its procedures, forms, or related documents.
The privacy officer has authority to call a meeting of representatives of all covered components as necessary in his or her discretion.
VI. No retaliation.
Neither the University, nor any of its employees, will intimidate, threaten, coerce, discriminate against, or take other retaliatory action against:
1. Any individual for his or her exercise of any rights under, or participation in any process established by, the HIPAA privacy regulations, including filing a complaint; or
2. Any person for:
a. filing a complaint with the U.S. Secretary of Health and Human Services (or any other officer or employee of HHS to whom the authority has been designated) under the HIPAA regulations;
b. testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title IX; or
c. opposing any act or practice made unlawful by the HIPAA privacy regulations, provided the person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of the HIPAA privacy regulations.
The University will develop a general training program to be used in covered component. The University’s privacy officer will have current copies of all training materials. In addition, each covered component is responsible for developing a training program specific to that component, and for providing the University’s privacy officer with copies of its training materials. Both the general and the specific training will be provided to employees as required by HIPAA, under the oversight of the University’s privacy officer. The privacy officer and the privacy coordinators shall maintain copies of the training materials and document that the required training has been provided. The privacy officer may require a health care component to revise its training materials.
VIII. Waiver of Rights
The University will not require individuals to waive their rights under section 160.306 of the HIPAA regulations, or under the HIPAA privacy regulations, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
The University must mitigate, to the extent practicable, any harmful effect that is known to it of a use or disclosure, by the University or its business associates, of protected health information in violation of its policies and procedures or the HIPAA privacy regulations.
Violation of this policy by a University employee is subject to appropriate personnel or other disciplinary action.
All policies, procedures, communications, actions activities and/or designations that require documentation under HIPAA shall be maintained in written and/or electronic form and retained for a period not less than six years from the date of its creation or the date when it was last in effect, whichever is later.
The University’s privacy officer will determine whether documentation required by HIPAA and/or this policy should be kept centrally by the privacy officer, or whether any health care component will be responsible for keeping its own documentation as required by HIPAA. The privacy officer has the authority to require any health care component to send all documentation to him/her.
The University may change this policy and the procedures described herein as necessary and appropriate, in accordance with standard University procedures and any applicable law and/or regulations.
Health care components
Student health center
Speech and audiology clinic
Business associate components
Computer and Network Services
Audit (as necessary)
University Counsel (as necessary)