The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") imposes specific standards and obligations regarding the privacy of certain protected health information ("PHI"). Wichita State University recognizes its obligation to safeguard PHI and this policy is intended to implement HIPAA requirements for the protection of the privacy of PHI.
1. Wichita State University will make all reasonable efforts to achieve and maintain compliance with HIPAA standards and obligations regarding the privacy of PHI.
2. Since the primary function of Wichita State University, as a state educational institution of Kansas, is not to provide health care, the University hereby designates itself as a "hybrid entity." The University Privacy and Compliance Officer will designate those units or departments which function as health care providers covered by HIPAA ("Covered University Units").
3. This policy applies to all Covered University Units.
4. The Privacy and Compliance Officer will be responsible for meeting HIPAA training requirements for University employees, students and volunteers who work or train with University units or departments which function as health care providers covered by HIPAA.
5. All Covered University Units shall provide to each patient not later than the date of the first service delivery, including service transmitted electronically, a Notice of Privacy Practices. A copy of the Notice of Privacy Practices shall be posted by each Covered University Unit and copies shall be made available to patients upon request. The Privacy and Compliance Officer will be responsible for providing the Notice of Privacy Practices.
6. All Covered University Units will take reasonable steps to verify the identify and authority of individuals and entities requesting PHI under HIPAA.
7. Patients of Covered University Units shall have the following specific rights: a right to an accounting of disclosures; a right to request amendment of PHI; a right of access to PHI; a right to request additional privacy protection; a right to complain about privacy and security policies and procedures; a right to be free of intimidating or retaliatory acts for exercising HIPAA rights; and the University will not require an individual to waive rights under this policy or HIPAA as a condition of treatment.
8. If any University employee or contractor becomes aware of an actual or alleged breach of this policy or any related departmental policies, or any other actual or alleged breach of required privacy or security of PHI, the employee or contractor is required to report the actual or alleged breach to the Privacy and Compliance Officer. Wichita State University will mitigate, to the extent practicable, any known harmful effect of a use or disclosure of PHI in violation of this policy or other applicable requirements of HIPAA.
9. This policy statement is applicable to all members of the University faculty, staff, fellows, volunteers, trainees, agents and students who work or train in University units or departments that maintain PHI. Faculty and staff members found to have violated this policy will be subject to disciplinary action, up to and including dismissal, under applicable disciplinary policies. Students will be subject to disciplinary action under applicable student policies and procedures.
10. Wichita State University and its employees or students who violate HIPAA may be subject to both civil and criminal penalties under HIPAA regulations. Civil monetary penalties are $100 per incident, up to $25,000 per person, per year. Federal criminal penalties range from $50,000 to $250,000 in fines and up to 10 years imprisonment.
11. David H. Moses, General Counsel, is the designated Privacy and Compliance Officer for Wichita State University. To initiate the filing of a complaint and/or to seek information about HIPAA, call 978-3001 or write to Privacy and Compliance Officer, 1845 Fairmount, Wichita, Kansas 67260-0001.
This policy shall be included in the WSU Policies and Procedures Manual and shared with appropriate constituencies of the University.
The General Counsel shall have primary responsibility for publication, dissemination and implementation of this University policy.
April 14, 2003