2017 Recompilation, formerly Rule 15.50
04/11/17 Rule approved by Chancellor
PART 1: INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations promulgated thereunder cover health plans, health care clearinghouses and health care providers who conduct certain financial and administrative transactions electronically. In New Mexico, all information contained in an individual’s medical record is confidential and cannot be disclosed without consent of the individual, except in certain circumstances. (NMSA 1978 § 24-14-26 and §24-14-27). As directed by RPM 15.50 Information Data Security, New Mexico State University (“university” or “NMSU”) adopts this rule for the protection of the privacy relating to health information of university students, employees and their dependents, in compliance with HIPAA and applicable regulations, as well as applicable related state law.
PART 2: DEFINITIONS
- Covered Component: Covered Components are the categories corresponding to HIPAA’s covered entity designations, by which the NMSU entities are designated to require compliance with HIPAA. (See Part 3)
- Health Information: Health Information includes anything in any form or medium created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearing house that relates to the past, present or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to an individual.
- HIPAA: HIPAA is the Health Insurance Portability and Accountability Act of 1996, which mandates significant change in the laws and regulations governing the provision of health benefits, the delivery and payment of health care services and the security and confidentiality of Individually Identifiable and Protected Health Information. As used in this Rule, HIPAA will also include the regulations promulgated under the authority of the Act.
- HIPAA Privacy Officer (HPO): The HPO is the individual responsible for the development and implementation of HIPAA policies and procedures for NMSU and who is the primary contact for receiving complaints and is able to provide further information about matters covered by the Notices of Privacy Practices.
- HIPAA Security Officer (HSO): The HSO is the individual responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rules for NMSU.
- Hybrid Entity: A Hybrid Entity is a single legal entity that has some units performing functions that meet the definition of a covered entity under HIPAA (Covered Component under this Rule), and others that do not.
- Individually Identifiable Health Information: Individually Identifiable Health Information is information in any form or medium that identifies or reasonably can be used to identify the individual and relates to the: past, present or future physical or mental health or condition of an individual; provision of healthcare to the individual; or past, present or future payment for the provision of health care.
- Notice(s) of Privacy Practices: Notice(s) of Privacy Practices refers to the document that specifies how a covered health care provider or covered health plan uses and discloses Protected Health Information and the rights of individuals related to this information.
- NMSU Entity: NMSU Entity, sometimes also referred to as “unit”, is a general term which may refer to a college, a department or any other individual administrative unit within the NMSU System, including but not limited to agricultural experiment stations. Private not-for-profit corporate entities recognized to be affiliated with NMSU for fundraising, research, public service, or student activity purposes, while subject to certain NMSU policies and procedures to maintain recognized status, are not considered “NMSU entities”, and if located on NMSU premises, are referred to as “External Entities”
- Protected Health Information (PHI): Protected Health Information (PHI) is Individually Identifiable Health Information in any form or medium maintained or transmitted by an NMSU entity within one of the Covered Components. PHI includes: (1) demographic information collected from an individual; (2) medical history; (3) information relating to the past, present or future physical or mental health or condition of an individual that is identifiable; (4) the provision of health care to an individual or the payment for the provision of health care; (5) results of physical examinations, blood tests, x-rays; and (6) results of other diagnostic and medical procedures. PHI excludes “de-identified information,” defined as health information that does not identify an individual and with respect to which there is not reasonable basis to believe that the information can be used to identify an individual.
- Research: Research as used in this Rule is a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. See 45 CFR 164.501. Please note, an NMSU entity within one of the Covered Components may always use or disclose for research purposes health information which has been de-identified (in accordance with 45 CFR 164.502(d), and 164.514(a)-(c) of the Rule).
PART 3: HIPAA HYBRID ENTITY DESIGNATION AND NMSU COVERED COMPONENTS
A. Designation as Hybrid Entity
Some of the university’s educational and business activities are covered under HIPAA law and regulations, and most are not. NMSU hereby designates itself as a hybrid entity.
B. NMSU Covered Components
NMSU has three Covered Components: 1) the Health Care Provider component, which contains departments that provide health-related services, 2) the Health Plan component, which includes certain plans within the university that are determined to be covered by the HIPAA law and regulations, and 3) the Administrative Support Component, which performs support functions on behalf of the Health Care Providers and Health Plan components. The NMSU Covered Components recognized at the time of adoption of this Rule are as follows:
- Health Care Provider Component:
- Campus Health Center
- Counseling Center
- Social Work Services
- Sports Medicine/Athletic Training Center
- Speech and Hearing Center
- Emergency Medical Response (Police and Fire)
- Counseling and Educational Psychology (CEP) Center
- Family Resource Center (unit of ACES)
- Student Accessibility Services
- Student Clinics (Main, DACC, or branch campuses) Dental, Nursing, EMS, Allied Health, etc.
- Health Plan Component:
- NMSU Benefits Office
- International Programs Student Health Insurance
- Administrative Support Component: Administrative Support Units are only subject to HIPAA to the extent that they perform support functions of behalf of the Health Care Providers and Health Plan components and must access protected health information in performing those functions.
- Information Technology Services
- Accounts Receivable
- Internal Audit
- Office of General Counsel
- Office of Institutional Equity
- Purchasing and Risk Management
- Environmental Health and Safety
- University Research
C. In the event that an NMSU employee or office not identified as a NMSU Covered Component above has a need to access protected health information, for the duration of a project or longer, the responsible administrator for the unit must contact the HIPAA Privacy Officer for guidance to ensure compliance with this Rule and with HIPAA.
PART 4: PRIVACY NOTICES AND CONSENT
Each health care provider component will distribute Notices of Privacy Practices to participants in health care services and participants in research provided or conducted by NMSU. The privacy notices will include a consent to participate in the health care services or research.
PART 5: DESIGNATION AND DUTIES OF HIPAA PRIVACY AND HIPAA SECURITY OFFICER
As required by HIPAA, NMSU designates the IT Compliance Officer as the HIPAA Privacy Officer (HPO) and the Chief Information Security Officer as the HIPAA Security Officer (HPO) (collectively referred to as the HIPAA Officers). These positions may perform other tasks and duties on behalf of the university, but must have the duties and responsibilities designated to ensure compliance with HIPAA as part of their job descriptions. The HPO and HSO will be responsible for facilitating compliance with this Rule by developing, implementing and maintaining a university system wide HIPAA Compliance Program. To ensure comprehensive coverage of the program, the HIPAA Officers should collaborate and coordinate efforts with the University’s Compliance Oversight Committee as well as with other relevant university departments. The HPO and HSO may also create and maintain a website dedicated to providing HIPAA compliance related training and other resources and guidance for the university community.
A. HIPAA Privacy Officer (HPO)
The HPO will have sufficient authority and resources to fulfill the duties determined to ensure compliance with HIPAA and be responsible for privacy matters related to HIPAA. (Privacy §164.530(a) – Personnel designations) The HPO’s responsibilities will include, but are not limited to, the following:
- Develop and implement HIPAA privacy forms and operational policies;
- Receive, investigate and appropriately handle privacy complaints;
- Coordinate privacy and security efforts across the university system to ensure adequate development of the HIPAA Compliance Program;
- Monitor, report and initiate changes to university policies and procedures in relation to local, state and federal statutes, regulations and ordinances that may affect the HIPAA Compliance Program;
- Coordinate delivery of related HIPAA privacy and security training and ensure compliance for training determined to be mandatory for employees of the university;
- Investigate and respond to HIPAA related complaints and incidents in accordance with the established policies and procedures related to HIPAA security and privacy;
- Provide guidance and support to units and programs that have components that must comply with HIPAA.
- Conduct periodic HIPAA privacy compliance reviews; and
- Provide annual or regular reports to the university’s Compliance Oversight Committee related to HIPAA violations and remedies.
B. HIPAA Security Officer
(The HPO will have sufficient authority and resources to fulfill the duties determined to ensure compliance with HIPAA and be responsible for security matters related to HIPAA. (Security §164.308(a)(2) – Assigned Security Responsibility) The HSO’s responsibilities will include, but are not limited to, the following:
- Develop and implement HIPAA information security forms and operational policies;
- Coordinate with each component unit regarding HIPAA privacy and security compliance efforts;
- Ensure each component unit develops internal operating guidelines relating to appropriate handling and safeguarding of HIPAA data;
- Ensure component units operate in a HIPAA compliant manner and perform regular risk assessments relating to the adequate protection of protected health information;
- Ensure component unit staff are provided with regular HIPAA training;
- Retain required documentation that demonstrates the university’s compliance with the HIPAA law and regulations; and
- Conduct periodic HIPAA security compliance reviews.
PART 6: RESEARCH COMPLIANCE
- Investigators who wish to use PHI for research purposes must obtain a signed authorization from each participant. Institutions are required to establish a “Privacy Board” to review and approve requests for waivers of authorization for use and disclosure of PHI for research purposes. At NMSU, the Office of Institutional Compliance’s Institutional Review Board (IRB) serves as the Privacy Board.
- All research involving PHI must be reviewed and approved by the IRB, including disclosure of research data involving PHI. The IRB will ensure researchers comply with the requirements of this rule and its procedural guidelines. Pursuant to federal law, all institutions governed by HIPAA must train their employees regarding PHI. NMSU provides online training for new employees and annual training updates for existing employees.
- NMSU employees involved in human subject research must complete IRB training through the Collaborative Institutional Training Initiative (CITI). CITI is a web-based training package on issues relating to human subjects research. The CITI module “Research and HIPAA Privacy Protections” is required for IRB training, but it does not replace any other HIPAA training required by NMSU.
PART 7: DATA BREACH NOTIFICATION, REPORTING AND HANDLING
- The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities, including those within Hybrid Entities, to provide notification following a breach of unsecured protected health information.
- All NMSU employees, students or other affiliates upon becoming aware of a potential data breach/compromise relating to health information, must report such incidents to a HIPAA Officer. The HIPAA Officers are responsible to ensure proper handling, investigation, documentation and reporting to ensure overall HIPAA compliance. The Officers will ensure at minimum proper:
- Communication to NMSU senior officials regarding actual data compromises and breaches;
- Investigation, documentation and handling of incidents in collaboration with the Offices of University General Counsel, Human Resource Services and other university departments as appropriate;
- Submission of notices of actual data breaches to the U. S. Secretary of Human Health Services (HHS) Secretary as required by HIPAA (e.g. data breaches affecting 500 or more individuals require notification of the media per HHS guidelines; breaches affecting fewer than 500 individuals requires notification to HHS);
- Notification to affected individuals in collaboration with University Communications; and
- Retention of appropriate documentation for each data breach/incident.
PART 8: HIPAA TRAINING
- HIPAA requires NMSU to train all workforce members with access to health information about the University HIPAA administrative policies, rules and procedures. The NMSU entities within the above listed Covered Components must provide comprehensive training to staff regarding their respective operational privacy policies and procedures required to carry out their functions in compliance with HIPAA law and regulations. Each covered NMSU entity must ensure the appropriate training is received by all staff, including new and existing employees, volunteers, trainees or others whose conduct is under the control of the entity. Follow-up training is expected to occur annually.
- To ensure compliance with the HIPAA training requirement, all NMSU employees will be required to take annual HIPAA compliance training, which may be offered pursuant to ARP 6.89 Mandatory Employee Training and Other Professional Development Opportunities. Official training logs and certificates will be kept in the SABA training system maintained by Human Resource Services, Center for Training and Professional Development.
2017 Recompilation, formerly Rule 15.50
04/11/17 Rule approved by Chancellor