4-OP-H-30 Health Insurance Portability and Accountability Act (HIPAA) Policy

Responsible Executive: Information Security and Privacy Office

Approving Official: Vice President for Finance and Administration

Effective Date: March 1, 2024

Revision History: No revisions at this time.

  1. INTRODUCTION

    1. PURPOSE

      The purpose of this policy is to establish university requirements for complying with the Health Insurance Portability and Accountability Act (“HIPAA”) enacted by the United States Congress in 1996, and its implementing regulations, including the Breach Notification Rule, the Privacy Rule, and the Security Rule, as amended from time to time.

      This includes the HIPAA and the modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification rules under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, the Genetic Information Nondiscrimination Act (“GINA”), and HIPAA rules promulgated by the U.S. Department of Health and Human Services, as amended from time to time. Collectively, HIPAA, HITECH, GINA, and HIPAA rules are referred to herein as “HIPAA” and mean the regulatory requirements specified within, or authorized by, each Act.
       

    2. SCOPE

      The Florida State University (“university” or “FSU”) has elected to operate as a hybrid entity in accordance with HIPAA, and this policy designates its HIPAA covered health care components to include the university colleges, departments, divisions, and units that would meet the definition of a covered entity or business associate if they were members of separate and distinct legal entities (“university internal covered entities” and “university internal business associates” or collectively “University Health Care Components”).

      Although the university remains responsible for HIPAA oversight, compliance, and enforcement obligations, the HIPAA requirements in this policy only apply to the University Health Care Components identified in the 4-OP-H-30.01 Designation of University Health Care Components (“Designation”). University Health Care Components also may refer to members of the university’s HIPAA Compliance Areas, which denote university entities affected by HIPAA to the extent they are supporting a covered function or are responsible for safeguarding protected health information.

       

    3. DEFINITIONS

      Administrative Safeguard – Means the administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.

      Authorization – Means a specific type of permission to use and/or disclose protected health information about an individual. The requirements for a valid authorization are defined in HIPAA.

      Breach – Shall have the same meaning as in 45 C.F.R. (“Code of Federal Regulations”) § 164.402 and identifies an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information (“PHI”).

      An impermissible acquisition, access, use, or disclosure of PHI is presumed to be a breach unless, as applicable, the covered entity or business associate demonstrates there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and 4) the extent to which the risk to the PHI has been mitigated.

      Business Associate – Shall have the same meaning as the term “business associate” in 45 C.F.R. § 160.103 of HIPAA, and may include a person that is acting on behalf of a covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates. Such persons are considered business associates when acting other than in the capacity of a member of the workforce of the covered entity or arrangement, and are creating, receiving, maintaining, or transmitting protected health information for a function or activity regulated by HIPAA.

      Business Associate Agreement (“BAA”) – Means a contract or other arrangement where a covered entity may permit a business associate to create, receive, maintain, or transmit electronic PHI on behalf of the covered entity only if the covered entity obtains satisfactory assurance in accordance with 45 C.F.R. §§ 164.308(b) and 164.314(a), that the business associate will appropriately safeguard the information. Covered entities are not required to obtain such assurances from a business associate that is its subcontractor under its direct control as a part of its workforce.

      Covered Entity – Shall have the same meaning as the term “covered entity” in 45 C.F.R. § 160.103, and means (1) a health plan, (2) a health care clearinghouse, (3) a health care provider who transmits any health information in electronic form in connection with a HIPAA regulated transaction.

      Covered Function – Shall have the same meaning as in 45 C.F.R. § 164.103 and means the functions performed by a covered entity serving as a health plan, health care provider, or health care clearinghouse.
      Data Use Agreement – An agreement between a covered entity and the recipient of the PHI, e.g., a researcher, in which the covered entity defines requirements associated with disclosing a limited data set for purposes of research, public health or healthcare operations in accordance with HIPAA and university policy. Data use agreements are required to restrict the use of the PHI in the limited data set to a specified purpose, to safeguard the PHI, and to ensure the recipient of the PHI in the limited data set will not use such information to identify the individuals.

      Deidentified data – Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is deidentified. Health information is deidentified (1) if stripped of all 18 direct identifiers defined in HIPAA, or (2) if an expert statistical analysis method determines there is only a very small or negligible risk such information could be exclusively used, or used in combination with other information, to identify an individual.  HIPAA does not apply to deidentified data.

      Designated Record Set – Means medical, clinical research, and billing records maintained or used to make decisions about an individual and the individual’s treatment. Designated record sets are subject to an individual’s right to request access and amendment.

      Disclosure – Shall have the same meaning in 45 C.F.R. § 160.103 and means, the release, transfer, provision of access to, or divulging of, protected health information in any other manner outside of the entity holding the information.  HIPAA requires specific authorization to disclose PHI except if related to treatment payment operations of the entity responsible for the PHI, or in limited circumstances specifically authorized by law, e.g., such as a public health purpose or emergency.

      Electronic Media – Shall have the same meaning as in 45 C.F.R. § 160.103 and includes electronic storage material on which data is or may be recorded electronically, including, for example devices in computers (“hard drives”) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.  Electronic media also include transmission media used to exchange information electronically utilizing, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.   Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.

      Electronic Protected Health Information (“ePHI”) – Shall have the same meaning as in 45 C.F.R. § 160.103 and includes PHI transmitted by electronic media or maintained in electronic media.

      FERPA – Means the Family Educational Rights and Privacy Act enacted by the United States Congress, as amended, 20 U.S.C. § 1232g. Protected health information excludes individually identifiable health information provided or maintained as FERPA regulated student education records or student treatment records.

      Financial Remuneration – Shall have the same meaning as in 45 C.F.R. § 164.501 and includes direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.

      Fundraising Communications – Shall have the same meaning as in 45 C.F.R. § 164.514(e)(4)(f) which establishes use and disclosure requirements for University Health Care Components.  A University Health Care Component may only use or disclose protected health information to a business associate, or an institutionally related foundation, for the purpose of raising funds in accordance with the use and disclosure requirements in 45 C.F.R. § 164.514.

      Health Care Component (“HCC”) – Means a component or combination of components of a hybrid entity designated by the hybrid entity in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D). Covered health care components include university centers, colleges, departments, divisions, institutes, laboratories, offices, programs, or units that would meet the definition of a covered entity or business associate if they were (housed within) separate legal entities with distinct workforce members. Covered health care components include (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS (Health and Human Services) has adopted standards. Documentation of the designation must be retained for 6 years from the date of its creation, or the date when such designation was in effect, whichever is later. 

      Health Care Operations – shall have the same meaning as in 45 C.F.R. § 164.501 and collectively include the following:  quality assessment and improvement assessments; reviewing competence and qualifications of health care professionals and practitioners; conducting training programs, accreditation, certification, licensing, and credentialing activities; underwriting, enrollment, premium rating and other activities related to health insurance or health benefits; medical review, legal services and audit functions;  and, business planning, management, and development and related general administrative activities of the entity.

      Health Care Provider – shall have the same meaning as in 45 C.F.R. § 160.103 and means a provider of services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395X(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

      HIPAA Compliance Area – Means university entities or personnel who are required to comply with HIPAA based on the functions they are performing on behalf of a University Health Care Component. 

      Hybrid Entity – Shall have the same meaning as in 45 C.F.R. § 160.103 and means a single legal entity: (1) that is a covered entity, (2) whose business activities included both covered and non-covered functions, and (3) that designates health care components in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D).

      Individually Identifiable Health Information (“IIHI”) – Means information defined in 45 C.F.R.  § 160.103 that is a subset of health information, including demographic information, collected from an individual, that: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse, (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, (3) identifies the individual, or, (4) is information of which there is a reasonable basis to believe the information can be used to identify the individual.

      Institutional Review Board (“IRB”) – Shall have the same meaning as in 45 C.F.R. § Part 164.  University researchers seeking approval to conduct human subjects research are required to comply with University Human Subjects policy 7-IRB-0 and relevant IRB protocols, policies, and procedures.  For additional information, please contact the FSU Office of Research – Office of Human Subjects Protection at: humansubjects@fsu.edu.

      Limited Data Set – Shall have the same meaning as in 45 C.F.R. §§ 164.514 (e)(2) and 164.514 (e)(3). Limited data sets consist of protected health information that exclude the following direct identifiers of individuals or relatives, employers, or household members of the individual:  (1) Names, (2) Postal address information, other than town or city, state, and zip code,  (3) Telephone numbers, (4) Fax numbers, (5) Electronic mail addresses, (6) Social security numbers, (7) Medical record numbers, (8) Health plan beneficiary numbers,  (9) Account numbers, (10) Certificate or license numbers, (11) Vehicle identifiers, serial numbers, and license plate numbers, (12) Device identifiers and serial numbers, (13) Web Universal Resource Locators (“URL”), (14) Internet Protocol (“IP”) address numbers, (15) Biometric identifiers, including finger and voice prints, and (16) Full face photographic images and any comparable images.

      Marketing – Shall have the same meaning as in 45 C.F.R. § 164.501.  Marketing includes communications made about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing does not include a communication made: (i) to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity's cost of making the communication, and (ii) for the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:

      • For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
      • To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
      • For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.

      Organized Health Care Arrangement – Shall have the same meaning provided in 45 C.F.R. § 160.103.

      Payment – The activities undertaken by, (1) except as prohibited when involving genetic information, a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan, including determinations of eligibility and adjudication of claims; risk adjusting; billing, claims management, and collection activities; review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; utilization review activities; and disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement; or (2) a covered health care provider or health plan to obtain or provide reimbursement for the provision of health care.

      Person – Shall have the same meaning as provided in 45 C.F.R. § 160.103 and is defined as a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.
      Physical Safeguard – Means physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

      Protected Health Information (“PHI”) – Shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103. PHI includes any individually identifiable health information, including payment, genetic or demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by or on behalf of a covered entity. PHI excludes individually identifiable health information regulated by the FERPA as student education records or student treatment records, described respectively, at 20 U.S.C. § 1232g(a)(4)(B), and 20 U.S.C. § 1232g(a)(4)(B)(iv).  PHI also excludes employment records held by a covered entity in its role as an employer, and records regarding a person who has been deceased for more than 50 years.

      Psychotherapy Notes – Notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

      Research Health Information (“RHI”) – Means individually identifiable health information that is received or created as a part of a research project that does not involve a HIPAA covered function.  RHI may also have previously been determined to be PHI, if provided or obtained based on an authorized HIPAA use or disclosure, or waiver of authorization provided by an institutional review board (“IRB”).  Only data regulated by HIPAA are considered PHI.  
      Security Incident – Shall have the same definition as Security Incident in 45 C.F.R. § 164.304 and means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

      Technical Safeguard – Means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

      Treatment – The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
      University Internal Business Associate – Means university centers, colleges, departments, divisions, institutes, laboratories, offices, programs, or units and their respective university workforce members (faculty, staff, research scientists, and students) serving as business associates who are (1) supporting or performing covered functions on behalf of a university internal covered entity, or (2) conducting HIPAA regulated research in collaboration with or on behalf of a university internal covered entity.

      University Internal Business Associate – Means university centers, colleges, departments, divisions, institutes, laboratories, offices, programs, or units and their respective university workforce members (faculty, staff, research scientists, and students) serving as business associates who are (1) supporting or performing covered functions on behalf of a university internal covered entity, or (2) conducting HIPAA regulated research in collaboration with or on behalf of a university internal covered entity.

      University Internal Covered Entity – Means university centers, colleges, departments, divisions, institutes, laboratories, offices, programs or units and their respective university workforce members (faculty, research scientists, staff, students) that would meet the definition of a covered entity if they were separate legal entities.

      Use – Shall have the same meaning as in 45 C.F.R. § 160.103 and means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that holds such information.

      Unsecured Protected Health Information – Means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified in guidance provided by the by the Secretary of the Department of Health and Human Services. (Under section 13402(h)(2) of Public Law 111-5)

      Waiver of Authorization – Shall have the same meaning as in HIPAA and requires a researcher affiliated with a University Health Care Component to obtain institution research board or privacy board approval documentation providing an alteration to, or waiver, in whole or in part, of the individual authorization requirements that have been approved in accordance with 45 C.F.R. § 164.508 and § 164.512(i).

      Workforce - Shall have the same meaning as in 45 C.F.R. § 160.103 and means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

       

  2. POLICY

    University Health Care Components are required to establish and implement policies and procedures needed to comply with HIPAA and the applicable requirements in this policy. PHI is high-risk data and must be safeguarded to maintain its confidentiality, integrity, and availability in accordance with HIPAA.

    If a unit is not listed in the 4-OP-H-30.01 Designation of University Health Care Components (“Designation”) and has determined it is required to comply with HIPAA, it is the responsibility of the unit head or its designee to contact the FSU information security and privacy office at hipaa@fsu.edu to determine whether an update to the Designation is needed.

    1. HIPAA Regulations

      1. HIPAA Security Rule

        The HIPAA Security Rule (45 C.F.R. Part 160 and 45 C.F.R. Part 164 Subpart A and Subpart C) define requirements for the appropriate use, disclosure, and safeguarding of electronic PHI (“ePHI”) throughout the information life cycle of an organization. On January 25, 2013, the Federal Register published the Omnibus Final Rule written by the U.S. Department of Health and Human Services to further clarify, enhance, and strengthen the HIPAA requirements and finalize implementation of the HITECH Act.

      2. HIPAA Privacy Rule

        The HIPAA Privacy Rule (45 C.F.R. Part 160 and 45 C.F.R. Part 164 Subpart A and Subpart E) is intended to protect the privacy of an individual’s PHI. It provides protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.

        University researchers or research teams are serving as university internal covered entities if they serve as health care providers who electronically transmit PHI in connection with any transaction, function, or activity for which the United States Department of Health and Human Services (“HHS”) has adopted a standard for regulating such information in accordance with HIPAA.

        FSU researchers or research teams are generally considered acting within the capacity of the University Health Care Components if they are university workforce members of, or workforce members affiliated  with, such components, and they create, process, receive, store, or transmit PHI, perform a covered function or activity regulated by HIPAA, or if they serve as a business associate and must operate in accordance with 45 C.F.R. 164.504(e)(2).

      3. HIPAA Breach Notification Rule

        The HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400-414) requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. Breach excludes:

        1. Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under 45 C.F.R. Part 164 Subpart E.
        2. Any inadvertent disclosure to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under 45 C.F.R. Part 164 Subpart E.

        3. A disclosure of PHI where a covered entity or business associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

           

      4. Safeguarding PHI

        PHI includes information that identifies, or that might reasonably be used to identify, an individual, or that might reasonably be used to identify an individual, that is used or disclosed by a covered entity or business associate and relates to:

        1. The past, present, or future physical or mental health or condition of the individual.
        2. The provision of health care to the individual.
        3. The past, present, or future payment for health care to the individual.

        Personal identifiers that could identify an individual include patient names or any other information that, taken together or used with other information, could enable someone to determine an individual’s identity (e.g., address other than state, phone number, email address, IP (Internet Protocol) address, photographic images, other biometric identifiers.)

        Other examples of personal identifiers include:  all elements of dates except years (e.g., date of birth, admission, discharge, death); identifying numbers such as Social Security number, medical record numbers, insurance or health plan, biomedical devices, vehicle tag numbers, & driver’s license numbers.

  3. UNIVERSITY HIPAA COMPLIANCE RESPONSIBILITIES

    HIPAA requires covered entities and business associates to comply with all applicable HIPAA rules.  This policy requires that University Health Care Components comply with HIPAA in the same manner as covered entities and business associates.

    In certain situations, university internal covered entities also may function as business associates when providing services on behalf of a covered entity which include the performance of a covered function.

    Each University Health Care Component is required to designate an individual who shall serve as the unit’s HIPAA Privacy Officer.  The HIPAA Privacy Officer is responsible for coordinating unit activities needed to maintain compliance with the HIPAA Privacy, Security, and Breach Notification rules and university information security and privacy policy requirements for security incident and breach response in the 4-OP-H-20 Information Technology Security and Information Assurance Policy.

    Responsibilities of the HIPAA Privacy Officer include coordinating unit compliance activities, ensuring policies and procedures are maintained in accordance with HIPAA, and where applicable, maintaining an inventory of business associate contracts with external third-party entities performing or supporting the University Health Care Component’s covered functions, maintaining an inventory of completed 4-OP-H-30.02 Acknowledgement of Understanding and Compliance (Acknowledgement) when serving as a university internal business associate (Section III.B.2).

    Business associate contract inventories are required to include: a copy of the business associate contract(s) and Acknowledgement(s), the business associate name, the web site URL (“universal resource locator”), point of contact name(s), mailing address(es), phone number(s), fax number(s), and email address(es).

    1. Responsibilities of University Health Care Components

      Generally, University Health Care Components include university units which would meet the definition of a covered entity or business associate if they were separate legal entities, to the extent they are performing a covered activity, function, or transaction.

      University Health Care Components are required to implement and maintain documented policies and procedures which meet HIPAA requirements for:

      1. Ensuring the confidentiality, integrity, and availability of PHI and individually identifiable health information and protecting against reasonably anticipated threats or hazards to the security of such information.
      2. Complying with HIPAA use and disclosure authorization requirements, including marketing requirements, in accordance with the FSU 4-OP-H-31 HIPAA Authorization for Use and Disclosure of Protected Health Information Policy.
      3. Adhering to HIPAA requirements which limit the amount of PHI used, disclosed, or requested to the minimum amount necessary.  Minimum necessary requirements do not apply to disclosures among health care providers for treatment purposes, uses or disclosures made to the individual, uses or disclosures made pursuant to an authorization, or uses or disclosures made for research purposes pursuant to 164.512(i).
      4. Identifying personnel authorized to access PHI based on job responsibilities and related business requirements and conditions.
      5. Protecting against reasonably anticipated uses or disclosures of PHI that are not permitted or required by HIPAA. 
      6. Completing required university standard HIPAA privacy and security awareness training and, where applicable, HIPAA-specific security awareness training offered by the University Health Care Component.
      7. Authorizing user access to a workstation, transaction, program, or process which is creating, maintaining, receiving, storing, or transmitting PHI. This includes provisioning system access, and onboarding and offboarding of all authorized workforce members’ access to systems handling or providing access to electronic PHI.
      8. Preventing, detecting, and correcting security violations and establishing controls needed to comply with the HIPAA Privacy, Security, and Breach Notification rules.
      9. Establishing administrative, physical, and technology controls, including strong encryption, needed to effectively manage high-risk HIPAA regulated data.
      10. Implementing and maintaining contingency and emergency data access preparedness and response plans.
      11. Maintaining compliance with university information technology, information security, and information privacy policies and standards.
      12. Negotiating and entering into business associate contracts with covered entities or business associates external to Florida State University, where applicable.  
      13. Negotiating and entering into a data use agreement which specifies the requirements for using and/or disclosing a limited data set to a recipient in accordance with the requirements in 45 C.F.R. § 164.514.  Where applicable, data use agreements are required to meet the requirements in 45 C.F.R. § 164.514(e)(4) and contain provisions which:
        1. Establish who is permitted to use and receive the limited data set.

        2. Describe the permitted uses and disclosures of limited data set information by the recipient.

          The data use agreement also must require the recipient to:

        3. Only use or disclose the information as permitted by the data use agreement or authorized by law.
        4. Use appropriate safeguards to prevent uses or disclosures that are inconsistent with the data use agreement.
        5. Report to the university health care component, or where applicable, external covered entity, uses or disclosures that are in violation of the data usage agreement of which the recipient becomes aware.
        6. Ensure that any agents to whom the recipient provides the limited data set agree to the same requirements that apply to the recipient.
        7. Not identify or re-identify the individual utilizing information in the limited data set.
      14. Implementing hardware, software, and/or procedure mechanisms to record and examine activity in information systems that involve or use ePHI.
      15. Reviewing information system activity records, such as audit logs, access reports, and security incident tracking reports.
      16. Conducting thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. 
      17. Ensuring effective risk management measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level are in place.

      18. Periodically reviewing documented HIPAA policies and procedures and updating when necessary. HIPAA requires policies and procedures documentation to be retained for 6-years from the date of creation or when it was last in effect, whichever is later.

         

    2. Responsibilities of University Internal Business Associates Supporting University Internal Covered Entities

      University internal business associates include designated university units and workforce members performing HIPAA covered functions for, or on behalf of, university covered components. University internal business associates also include FSU researchers who may hold appointments in units not designated as University Health Care Components, and who are conducting HIPAA covered functions for a research purpose for or on behalf of university internal covered entities.

      1. University internal business associates are required to comply with this policy to the extent they are performing or supporting covered functions and, where applicable to HIPAA-regulated research, for the duration of their research activities.
      2. Business Associate Agreements/contracts are not required when university internal business associates are performing covered functions for, or on behalf of, a university internal covered entity.  Note: the university internal business associate must always comply with requirements of this section III.B.
      3. University internal business associates are required to acknowledge and agree in writing to comply with the following by completing the 4-OP-H-30.02 Acknowledgement of Understanding and Compliance:
        1. Not use or disclose PHI other than as specified in writing by the university internal covered component, or as required by the HIPAA or other law.
        2. Use appropriate safeguards to prevent the unauthorized use or disclosure of PHI or ePHI in accordance with 45 C.F.R. Part 164 subpart C.
        3. Report any security incident, breach, and use or disclosure of PHI not authorized by law, of which it becomes aware in accordance with the process provided in Section III.D Incident Reporting and Breach Notification.
        4. Return or destroy PHI according to instructions specified in writing by the university covered component at the conclusion of the services the business associate is providing, where applicable.
        5. If applicable, and in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors of university internal business associate that create, receive, maintain, or transmit PHI agree to the same restrictions, conditions, and requirements in this section that apply to the internal business associate.
        6. Make PHI available in a designated record set to the university internal covered entity to which the business associate is providing services, pursuant to 45 C.F.R. § 164.524.

    3. Disclosure of Protected Health Information to Business Associates for Research Purposes

      In accordance with 45 C.F.R. § 164.308(b), business associate contracts are not required for a University Health Care Component to disclose PHI to a university researcher strictly for research purposes when: (1) such disclosure is authorized by the individual pursuant to 45 C.F.R. § 164.508, (2) a Waiver of Authorization has been received in accordance with 45 C.F.R. § 164.512, or (3) as a limited data set pursuant to 45 C.F.R. § 164.514(e).

      Further, when the researcher is not utilizing PHI or performing a HIPAA-regulated function or activity (treatment, payment, or health care operations) or providing a service included in the definition of business associate in 45 C.F.R. § 160.103, a business associate contract is not required.

      When a university internal business associate is utilizing PHI or performing a covered function on behalf of a university internal covered entity, the internal business associate is required to acknowledge and agree it is in compliance with the responsibilities and requirements in Section III.B by completing the 4-OP-H-30.02 Acknowledgement of Understanding and Compliance.

    4. Incident Reporting and Breach Notification

      It is the responsibility of each university workforce member to immediately report suspected or confirmed security incidents to the unit’s HIPAA Privacy Officer and hipaa@fsu.edu. This requirement includes information security and privacy breach incidents required to be managed in accordance with HIPAA regulations and the university 4-OP-H-25.11 IT Incident Response Standard.  The unit information security manager must inform the Chief Information Security Officer of any suspected or confirmed security incidents they become aware of within 24 hours of discovery.

  4. POLICY VIOLATIONS

    Failure to comply with the requirements of this policy, and any supplemental policies, requirements, or standards published by the university may result in reduced or revoked access to the university network, and university information or research technology, or data resources.

    FSU personnel who violate this policy may be subject to other penalties and disciplinary action, both within and outside the university. University disciplinary action is governed under the Disciplinary Guidelines published by the FSU Office of Human Resources. Unauthorized or fraudulent use of university data or computing resources may result in criminal prosecution.

  5. LEGAL AUTHORITY, JUSTIFICATION, AND REVIEW OF THIS POLICY

    Specific Authority and Justification

    BOG Regulation 3.0075 - Security of Data Related Information Technology Resources

    Chapter 501.171, Florida Statutes – Security of Confidential Personal Information, Florida Information Protection Act 2014 (FIPA)

    Health Insurance Portability and Accountability Act of 1996 (HIPAA)

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Part 160 – General Administrative Requirements

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Part 164 – HIPAA Security and Privacy 

    Health Insurance Portability and Accountability Act Regulations - 45 C.F.R. Parts 164.400-414 – Notification in the Case of Breach of Unsecured Protected Health Information

    HHS Covered Entities and Business Associates


    Review 
    This policy shall be reviewed by the Chief Information Security Officer at least three (3) years from the date of initial establishment, or when determined to be necessary based on changes in changes in federal or state law, rules, regulations, or relevant university requirements.