HIPAA Compliance Program - Compliance

HIPAA Compliance Program - Compliance
HIPAA Compliance Program
​​​​​​​​​​​Overview of HIPAA
What is HIPAA?​
It is a federal law titled the Health Insurance Portability and Accountability Act (HIPAA).
​Which federal agency oversees HIPAA compliance?
The Department of Health and Human Services (HHS), Office of Civil Rights (OCR).
​Why was HIPAA established?
To protect employees’ insurance when they have ​​lost or changed jobs.
To protect the privacy and security of patients’ health information.
To adopt national standards for electronic health care transactions.
To improve the efficiency and effectiveness of the health care system.
​What do the HIPAA regulations do for health care?
Protects patients’ rights regarding their health information, including the right to review it and make decisions about how it is used and disclosed.
Provides for appropriate use and disclosure of patients’ health information.
Requires health care providers to implement safeguards to ensure privacy of patients’ health information.
On what exactly do the privacy regulations focus?
Individually identifiable information, which means it identifies the patient or could be used to identify the patient.
Paper or electronic patient medical or health records.
Patient information exchanged verbally.
Information relating to the past, present, or future physical or mental condition of an individual.
Research data that identifies individual patients.
Patient Rights Under HIPAA
UT Health San Antonio is committed to protecting and safeguarding the confidential and sensitive information entrusted to us through various means. The UT Health San Antonio Institutional Compliance and Privacy Office (ICPO) ensures that UT Health San Antonio complies with the privacy laws, rules, and policies. We strive to create a culture of privacy awareness and for the highest level of commitment to protecting personally identifiable information.
The ICPO handles issues related to privacy practices, policies, concerns, and complaints. We also act as a resource for patients, staff, and students. The privacy laws provide for certain privacy rights.
Read more about Patients Rights under HIPAA.
Forms of Interest
Notice of Privacy Practices (English)
Notice of Privacy Practices (Spanish)
Notice of Privacy Practices – Telemedicine (English)
Notice of Privacy Practices – Telemedicine (Spanish)
Patient Privacy Policies & Procedures
The Institutional Handbook of Operating Policies (IHOP),
Chapter 11 – Patient Privacy Policies
, provides governing general oversight, uses and disclosures of protected health information (PHI), patient rights regarding privacy of PHI, and the requirement of all employees, students and non-employees of the Health Science Center to complete mandatory training in patient privacy regulations and policies.
Business Associates
Purpose of Business Associate Agreements
Any person of company that is a Business Associate is required to sign a contract with special language mandated by the privacy rules. Business Associate Agreements (BAA) assist UT Health San Antonio in protecting our patients’ health information when it is released to someone outside our organization.​​
​Definitions:
​Business Associate: A Business Associate is a person or entity to which UT Health San Antonio discloses protected health information so that the person/entity can carry out, assist with the performance of, or perform a function or activity for UT Health San Antonio.
​​Protected Health Information (PHI): A patient’s or participant’s (in the case of research) health information that identifies the person or can be used to identify the person.
Business Associate Test:
Is UT Health San Antonio disclosing PHI?
Does the recipient of the PHI provide a service to, for, or on behalf of UT Health San Antonio?
If the answer to both of the above questions is “yes”, you may have a relationship that requires a business associate agreement.
Not Business Associates
UT Health San Antonio Workforce: Employees, faculty, residents, students
Health care workers providing treatment
Providers with staff privileges at the institution
Labs
Individuals or companies with very limited and incidental exposure to health information, such as telephone company, electrician, etc.
Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
Potential Business Associates
Lawyers
External auditors or accountants
Professional translator services
Answering services
Consultants hired to conduct audits, perform coding reviews, etc.
Accreditation agencies
Shredding and/or documentation storage companies
Data processing firms or software companies that may be exposed to or use PHI
Medical transcription services, even if you contract with an individual rather than a company
Medical equipment service companies handling equipment that holds PHI
E-prescribing gateways
Health information organizations
Process for Completing a Business Associate Agreement (BAA)
Department Responsibilities
Determine when services, functions, or activities are being provided by a vendor, person, or company and in the provision of those services patient health information is being shared
Ensure BAA is in place prior to services being provided
Prepare a description of the “purposes for the sharing of PHI” to be included in the BAA
Contact the Purchasing Department at buscontracts@uthscsa.edu or (210) 562-6203 for assistance in completing the BAA
Purchasing Department (Manager for Contract Administration) Responsibilities
Complete the BAA for signature
Assess need for review by the Legal Office and/or the Institutional Compliance & Privacy Office
Ensure BAA is signed by the vendor and the appropriate institutional signatory authority
Maintain the original signed BAA
Process for Termination or Non-Renewal of a Contract with a Business Associate
When the institutional data is stored/maintained by the business associate, the following steps will be required
The department will notify the Purchasing Department, Manager for Contract Administration, to assess the contract and BAA terms
The Purchasing Department, Manager for Contract Administration, will assess the need for review by the Legal Office and/or the Institutional Compliance & Privacy Office
The department will ensure the return or destruction of data providing confirmation to the Purchasing Department, Manager for Contract Administration
The Purchasing Department, Manager for Contract Administration, will maintain that confirmation with the BAA. If it is not feasible to return or destroy, the BAA will continue to extend the protections to limit further use or disclosure by the business associate
Select HIPAA Links
Office of Civil Rights (OCR)
Center for Medicare and Medicaid Services (CMS)
American Dental Association
American Health Information Mgmt. Assoc. (Search “HIPAA”)
American Hospital Association
HIPAA Summit
Texas Health Information Management Association
WEDI-Strategic National Implementation Process (SNIP)​
Contacts & Resources
Any questions or concerns related to privacy matters should be directed to the Privacy Team in the Institutional Compliance & Privacy Office at
compliance@uthscsa.edu
or
(210) 567-2014
, or by calling the Compliance Hotline at
(877) 507-7317
You can also contact a member of the Privacy Team directly:
Angelife Pardo, MSIT, CHPC, CISSP, CRISC, PMP
Director, Privacy Program
pardoa@uthscsa.edu
Mark S. Curnow, MS, CHC, CHPS
Compliance Analyst, Senior
curnowm@uthscsa.edu
Bianca De La Fuente, BSBM, CHPC
Privacy Analyst
delafuenteb@uthscsa.edu
Caleb Barrera, CHTS
Privacy Analyst
barrerac5@uthscsa.edu