85 Health Insurance Portability and Accountability Act (HIPAA)

Approved by President
Effective Date: January 12, 2021
Responsible Division: Business and Finance
Responsible Office:  Compliance and Enterprise Risk Management
Responsible Officer: Assistant Vice President for Compliance and Enterprise Risk Management

I. Purpose

This policy ensures Middle Tennessee State University’s (MTSU or University) compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Act). The Campus Pharmacy is covered under the Act as a covered entity and healthcare provider. 

II. Background

HIPAA (Pub. L. 104-191) sets forth national standards to protect individually identifiable health information by certain covered entities. The Act additionally requires information technology security protections for electronically stored and transmitted healthcare data sets and provides certain patient protections and rights regarding access to individual health information.

III. Scope

As a healthcare provider and HIPAA covered entity, the staff, student workers, interns, part-time employees, and healthcare business associates of Campus Pharmacy are covered under this policy. Additionally, the policy covers all areas of the University for which healthcare documentation is transmitted to external agencies for healthcare operations or treatment purposes including, but not limited to, University Counseling services, the University Speech Clinic, and the Dyslexia Center.

IV. Definitions

A.  Breach Log. A log of all breaches of unsecured protected health information (PHI).

B.  Business Associate. A person or entity contracted by covered entities to provide certain health care activities or functions on behalf of the covered entity including, but not limited to, the use and disclosure of protected health information for healthcare billing services; benefit management services; consulting; repricing; practice management; quality assurance; and utilization review; and claims processing. Business Associates are covered under the HIPAA privacy rule and must provide assurances to covered entity that protected health information will be safeguarded from misuse and will not be used for the business associate’s independent purposes.

C.  Covered Entity. A healthcare provider, health plan, or healthcare clearinghouse. A healthcare provider includes: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that transmit healthcare information in an electronic format in connection with a Department of Health and Human Services (HHS) adopted standard. Health plans include: health insurance companies, health maintenance organizations (HMOs), company health plans, and government funded healthcare programs, such as Medicare, Medicaid, and the military and veterans’ health care programs.  Healthcare clearinghouses are entities that process nonstandard health information, received from another agency, into standard, electronic data or content.

D.  Protected Health Information (PHI). The most common protected health information includes the following:

1.  Name

2.  Street address

3.  Zip code

4.  Date of birth

5.  Patient age

6.  Telephone number (home, work, mobile)

7.  Fax number

8.  E-mail address

9.  Health Plan, Medicare, or Medicaid number

10.  Diagnosis or diagnosis code

11.  Social Security Number

12.  Medication and any health or allergy information

13. Patient video recordings from therapy and/or counseling and psychotherapy sessions.

V. Policy

All covered entities are required to provide written notice to patients affected by a breach of unsecured PHI. (45 C.F.R. § 164.408). 

A. Breaches Affecting Fewer than 500 Individuals. For breaches affecting fewer than 500 individual, notifications must be made to the federal Department of Health and Human Services (HHS) within sixty (60) days of the end of the calendar year in which the breach was discovered.  Notifications to HHS must be submitted electronically on the agency’s Health Information Privacy Web portal (Web Portal). Covered entities are not required to wait until the end of the calendar year to report a breach of PHI and may, instead, report the breach at the time of occurrence. Separate notices also must be completed for each breach incident.

B.  Breaches Affecting 500 Individuals or More. For breaches affecting 500 individuals or more, notification must be made to HHS without reasonable delay and in no case later than sixty (60) calendar days from the discovery of the breach.  Notification to HHS must be submitted electronically by utilizing the HHS Web portal. In addition, all affected individuals must be notified of the breach and should describe the PHI involved and the method by which the PHI was stolen (e.g. missing laptop, non-shredded PHI in a trash container). For a breach affecting 500 or more individuals, notification must also be provided to a major media outlet within the state. The Secretary of HHS will post, online, breaches affecting 500 individuals or more at www.hhs.gov/ocr/privacy.

C.  Breach Log. A log of all breaches of PHI must be maintained by the Covered Entity and reported to the Secretary of HHS by March annually.

D.  Acknowledgment of Receipt. The Act requires that notification of the Covered Entity’s privacy practices be provided to all patients.  For example, patients who receive or pick up prescriptions must be provided notice of the Campus Pharmacy’s privacy practices. Patients should be asked to sign electronically, or in writing, to acknowledge receipt of the Covered Entity’s practices.  Where a patient refuses to acknowledge receipt of the privacy practices, the Covered Entity shall document the refusal of its good faith effort to provide the patient with its notice of privacy practices.

E. Minimum Necessary. The Covered Entity shall maintain, and implement, practices, policies and procedures to limit unnecessary or inappropriate access to, and disclosure of, protected health information. Only the minimally necessary information should be shared regarding the patient’s health record or healthcare data set to accomplish a specific function or for a particular purpose. The Covered Entity should rarely need to share the whole patient record for a prescriber to provide proper care or for a third-party to process a claim. The Minimum Necessary standard does not apply to the following types of disclosure and information:

1.  Disclosures or request by a healthcare provider for treatment purposes.

2.  Disclosures to the individual (patient) who is the subject of the information.

3.  Uses or disclosures made pursuant to an individual’s authorization.

4.  Uses or disclosure required for compliance with HIPAA’s Administrative Simplification Rules.

5.  Uses or disclosure that are required by law enforcement agencies.

The Covered Entity’s procedures must identify the Pharmacy staff, business associates, student workers, or other individuals who need access to PHI to perform their job duties.

F.  Business Associates – Direct Liability. Business Associates of Campus Pharmacy can be subject to liability for failure to follow the requirements of HIPAA. The following outlines recent 2019 requirements from the Office of Civil Rights (OCR) for which Business Associates can be held liable and for which the OCR can exact enforcement action:

1. Failure to provide the Secretary of the Department of Health and Human Services (Secretary) with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.

2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

3.  Failure to comply with the requirements of the HIPAA Security Rule.

4.  Failure to provide breach notification to a covered entity or another business associate.

5.  Impermissible uses and disclosures of PHI.

6.  Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.

7.  Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

8.  Failure, in certain circumstances, to provide an accounting of disclosures.

9.  Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

10.  Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

G.  Patient Authorization. Patient authorization provides covered entities with permission to utilize or transmit PHI for specific purposes. 

1. The authorization must be in writing and must contain the following elements:

a. A description of the PHI to be used and or disclosed.

b. The individual authorized to make the disclosure or use of PHI.

c. An expiration date of the authorization.

d. The purpose for which the PHI can be used or disclosed.

2. Patient authorization also is expressly required for uses and disclosures of PHI for all marketing communications with the exception of:

a. Communication that occurs face-to-face between the covered entity and the individual (such as across the Campus Pharmacy counter); and

b. Communication that involves a promotional gift of nominal value.

H. Patient Consent. Patient consent may be obtained for uses and disclosures of PHI for healthcare treatment, payment, and healthcare operations but is not required under the HIPAA Privacy Rule.

I. Patient Rights. Under HIPAA’s Privacy Rule, patients have certain rights for which covered entities must comply. The patient, or the patient’s personal representative (45 CFR § 164.502(g)), has the right to:

1. Ask to see his/her health records.

2. Ask to obtain a copy of his/her health records.

3. Have corrections made to an individual’s health records.

4. Receive a notice that tells the patient how their health information can be used or shared for certain purposes.

5. Receive a report on when and why the patient’s health information was used or shared.

6. Receive notification of a breach of their protected health information.

7. Request to review health records of the patient used for treatment, payment, or healthcare operations.

8. File a complaint with HHS if the patient is denied their rights under HIPAA, or if it is believed their information is not being protected.

J. Right to Access Health Records. The HIPAA Privacy Rule provides individuals with a legal, enforceable right to view, and receive, copies of their medical information and other health records and PHI, with limited exceptions. Specifically, individuals have the right to access PHI in a “designated record set,” which is defined as a group of records consisting of: medical records; billing records; enrollment, payment, and claims adjudication records; and other records that are used to make decisions about an individual’s access to the designated record set.

In addition, MTSU recognizes OCR’s “HIPAA Right of Access Initiative” (Initiative) and understands the importance of individual access to the designated record set and individuals’ rights under 45 CFR §§ 164.514 and 164.524. In furtherance of OCR’s Initiative, individuals wishing to access health records must provide a request to Campus Pharmacy and/or Health Services in writing. Such writing may be through the use of email or a secure web portal. Campus Pharmacy and/or Health Services will take reasonable steps to verify the identity of the individual requesting access to any health records. Records requested will be provided no later than thirty (30) calendar days from receiving the request; however, a reasonable cost-based fee may be assessed for individuals requesting to receive a copy of their PHI (45 CFR §§ 164.524(b)(2) and 164.524(c)(4). Any fee assessed must not include the costs associated with verification, documentation, searching, or retrieving the PHI, or for maintaining systems, or for recouping capital for data access, storage, or infrastructure costs.

K. COVID-19 and Global/National Health Emergencies. Public health authorities and others responsible for ensuring public safety must have access to PHI to protect the public health and to advance the public health mission. Therefore, PHI may be disclosed without an individual’s prior authorization:

1.  to a public health authority that is authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability (45 CFR §§ 164.501 and 164.512(b)(1)(i));

2.  at the discretion of a public authority to a foreign government agency that is acting in collaboration with the public health authority (45 CFR § 164.512(b)(1)(i)); and

3.  to persons at risk of contracting or spreading a disease, such as COVID-19, or other conditions in which federal or state law authorizes the notification of such persons as necessary to prevent or control the spread of disease and/or to carry out other public health interventions or investigations (45 CFR § 164.512(b)(1)(iv)).

L. Security Rule. The HIPAA Security Rule sets forth a national set of security standards for protecting certain health information that is maintained or transferred in electronic format. Both the technical and non-technical safeguards of the Security Rule requires protections of PHI, electronic protected health information (e-PHI), and such clinical applications as computerized physician order entry (CPOE).  The Security Rule additionally specifies a series of administrative, technical, and physical security procedures that must be utilized by covered entities and their business associates to assure the integrity, privacy, and availability of e-PHI, as well as to protect against any anticipated cyber-threats involving e-PHI and electronic health records.

Minimally, Covered Entities must have the following HIPAA Security Safeguards in place:

1. Authorized access and control of the physical facility.

2. Workstation, device, and electronic media security, as well as written policies and procedures on the proper use of, and access to, workstations and devices containing e-PHI.

3. Technical safeguards, in collaboration with the University’s Information Technology Division, that assure: access control; audit controls; integrity controls; and transmission security (including electronic network security and dedicated facsimile or email).

Such technical safeguards must also comply with the Health Information Technology for Economic and Clinical Health Act of 2009. (HITECH, Pub. L.111-5)

M.  Telehealth. During a national emergency, such as COVID-19, telehealth services through remote communications technologies may be utilized to communicate with patients utilizing MTSU ITD approved, and secured, laptops and security software. While telehealth services may not fully comply with the requirements under the HIPAA Privacy and Security Rules, the OCR and the Department of HHS continue to exercise discretion regarding telehealth services during the COVID-19 pandemic and will not impose penalties for noncompliance with the HIPAA Rules under this section in connection with any good faith provision of telehealth for patient services. In addition, telehealth may be utilized to assess or treat similar or other medical conditions unrelated to COVID-19 during a national emergency.

While the use of video chats such as Zoom for Healthcare, Skype for Business, Microsoft Teams, or other MTSU ITD approved services are acceptable for use as a good faith provision of telehealth, the use of Facebook Live, Twitch, TikTok, or other similar communications must not be utilized for telehealth services.  

N. Government Resources. If a patient wishes to file a healthcare information privacy or security complaint, the Campus Pharmacy shall provide information about the HHS website and direct them to the Office of Civil Rights Complaint Portal for instructions on how to complete the complaint. The Department of HHS also provides a Breach of Unsecured Protected Health Information Portal (Breach Portal) of providers and other Covered Entities who have notified the OCR of HIPAA breaches. The HHS and OCR Breach Portal can be found at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

VI. Training

In-person and/or virtual training of all Campus Pharmacy and Health Services employees, including student workers, interns, graduate assistants, and part-time employees, shall occur annually as part of the Fall Health Services in-service programming. New hires of Campus Pharmacy shall receive HIPAA training within thirty (30) days of hire. Refresher training also shall be conducted, as needed, to ensure employee compliance with HIPAA practices.

Electronic training also shall occur annually for all Campus Pharmacy and Health Services employees, including student workers, interns, graduate assistants, and part-time employees. The annual electronic training shall be distributed during the first week of November of each year with a completion due date within sixty (60) days of the training’s availability.

VII. Annual Review

This policy shall be reviewed for expansion and/or revision annually by University Health Services; Campus Pharmacy; the Office of University Counsel; and the Office of Compliance and Enterprise Risk Management.

Forms: none.

Revisions: November 6, 2017 (original); July 12,2019; January 12, 2021.

Last Reviewed: March 2022.

References: HIPAA, Pub. L. 104-191; HIPAA Privacy Rule and Patient Rights, 45 CFR § 164.502(g)); HITECH, Pub. L.111-5.; HHS Fact Sheet: Direct Liability of Business Associates (May 2019); HIPAA Privacy Guidance on Rights of Access; Individuals’ Rights under HIPAA to Access their Health Information 45 CFR § 164.524; FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency; Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Mar. 30, 2020); Office for Civil Rights, U.S. Department of Health and Human Services, BULLETIN: HIPAA Privacy and Novel Coronavirus (Feb. 2020).