Protected Health Information Privacy Policy

Standard Number: 1.11.3.9
Category: Information Privacy
Owner: Information Technology Services
Effective: September 12, 2022
Revision History: None
Review Date: September 11, 2025

1. Purpose & Scope

   1. Pursuant to the HIPAA Hybrid Entity Policy, West Virginia University has designated itself as a Hybrid Entity and has identified all schools, departments, clinics, programs, and functions within the University that perform Covered Functions under HIPAA as University Health Care Components (“UHCC”).
   2. The purpose of this Policy is to identify the safeguards that UHCCs must follow, as required by the HIPAA Privacy Rule to ensure the privacy of protected health information (“PHI”).
   3. This Policy applies to all employees, students, volunteers, trainees, and other persons (“Workforce”) whose conduct in the performance of work for the UHCC is under the direct control of a UHCC, whether the Workforce member is paid by the UHCC or not.

2. Protected Health Information

   1. PHI is Individually Identifiable Health Information held or transmitted by a named UHCC in any form or media, whether electronic, paper, or oral.
   2. The following record types are explicitly excluded from being classified as PHI:
      1. Education records covered by the Family Education Rights and Privacy Act, as amended;
      2. Employment records held by the University as an employer; and,
      3. Information about a person who has been deceased for more than 50 years.
   3. Data sets that do not identify the subject of the PHI (“Individual”), and with respect to which there is no reasonable basis to believe that the information can be used to identify an Individual (“De-identified”), are not subject to compliance with this Policy when being used or disclosed by a UHCC. Specific requirements are identified within the PHI De-Identification Standard.
   4. Limited Data Sets must exclude Identifiable Health Information of the Individual or their relatives, employers, or household, but may include the following direct identifiers:
      1. Dates, including birth dates, date of admission, date of discharge, date of death, or age of Individuals older than 89; and,
      2. Geographic data including town/city, county, precinct, state, or zip code but not street address.
   5. Limited Data Sets are considered PHI and subject to compliance with the requirements of this Policy and the provisions of the HIPAA Privacy and Security Rules.

3. PHI Privacy Practices at the University

   1. The University will ensure the privacy and security of PHI through carrying out the following activities:
      1. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the Confidentiality, Integrity, and Availability of PHI held by UHCCs;
      2. Implement the appropriate administrative, technical and physical safeguards identified within the HIPAA Security Rule to prevent unauthorized access to all forms of PHI;
      3. Establish policies, standards, and procedures (“Governance”) addressing the requirements of the HIPAA Privacy and Security Rules;
      4. Apply disciplinary or corrective action against Workforce members who fail to comply with established University Governance. See UHCC Sanctions Procedure;
      5. Investigate all reported known or suspected Unauthorized Disclosures of PHI pursuant to the Computer Security Incident Response Policy; and,
      6. Provide Workforce security and privacy awareness training for all UHCCs.
   2. The University will ensure the Individual is afforded their rights granted by the HIPAA Privacy Rule, including the right to:
      1. Notice of Privacy Practices, which includes delivery of a notice and written acknowledgement;
      2. Request access, a copy, an amendment to, or restrictions on the use of their PHI;
      3. Request confidential communications;
      4. Not be asked to waive their rights in order to receive Treatment, Payment, enrollment in a health plan, or eligibility for benefits; and,
      5. File a complaint.
   3. The University will make its Notice of Privacy Practices publicly available.

4. Authorized and Unauthorized Disclosure of PHI

   1. All requests to use, disclose, and/or request disclosure of PHI must be for the minimum amount of information necessary to accomplish the intended purpose (“Minimum Necessary Rule”).
      1. The Minimum Necessary Rule applies to internal requests from other UHCCs as well as external requests for PHI.
      2. Exceptions to the Minimum Necessary Rule, including, but not limited to, disclosures for Treatment purposes or upon Individual request, are further described in the PHI Disclosure Standard.
   2. A University Covered Component must disclose PHI in the following two situations:
      1. To the Individual (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their PHI;
      2. To Health and Human Services when it is undertaking a compliance investigation or review or enforcement action.
   3. Other valid Authorized Disclosures include disclosures:
      1. For Treatment, Payment, or Health Care Operation purposes;
      2. To Business Associates for appropriate purposes;
      3. To authorized family members and friends; and,
      4. For research purposes. See PHI Disclosure Standard for complete list of Authorized Disclosures.
   4. Limited Data Sets may be disclosed without an Individual’s authorization for research purposes consistent with the HIPAA Privacy Rule. See the PHI Disclosure Standard.
   5. Pursuant to the Computer Security Incident Response Policy, reports of and complaints related to Unauthorized Disclosures, accesses, or uses of PHI shall be made to the University via the Incident Report Form.
   6. Communications to affected Individuals or the media related to suspected or known Unauthorized Disclosures must only be communicated by the Chief Information Security Officer or the Health Sciences Center Privacy Officer in collaboration with University communication officials only when appropriate.
   7. Any Individual found to be responsible for the Unauthorized Disclosure of PHI or communications with affected Individuals may be subject to appropriate disciplinary action, including, but not limited to, a written warning, additional training, job reassignment, suspension, and/or termination.

5. UHCC Workforce Responsibilities

   1. UHCC Workforce will protect the privacy and security of PHI through the following activities:
      1. Adhering to the Minimum Necessary Rule when requesting, receiving, or transmitting PHI;
      2. Providing the University’s Notice of Privacy Practices to Individuals with whom there is a direct Treatment relationship;
      3. Making a good faith effort to obtain written acknowledgement of receipt of Notice of Privacy Practices from the Individual;
      4. Following established procedures for submission, review, approval or denial of an Individual’s Privacy Rights;
      5. Never requiring an Individual to waive their Privacy Rights as a condition of the provision of Treatment, Payment, enrollment in a health plan, or eligibility for benefits;
      6. Never intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against any Individual for exercising their Privacy Rights under HIPAA, including filing a complaint;
      7. Documenting PHI disclosures made to external parties in order to respond to an Individual’s right to request an accounting of disclosures;
      8. Facilitating Individuals’ rights to access, disclosures, amendments, and confidentiality;
      9. Establishing procedures that ensure PHI access is limited to only the Workforce members who require it, including conducting bi-annual access audits to remove Workforce members who no longer require access and ensuring all hard copies of PHI are removed from a Workforce member who no longer requires access;
      10. Completing appropriate HIPAA privacy and security awareness training;
      11. Fully cooperating with any investigation of Unauthorized Disclosure of PHI;
      12. Reporting any known or suspected Unauthorized Disclosures of PHI or violations of this Policy to the Chief Information Security Officer or the Health Sciences Center Privacy Officer immediately. See Section 4.5;
      13. Storing PHI in approved location(s) pursuant to the PHI Protection Standard and remediating all identified PHI stored in an unapproved storage location; and,
      14. Following the requirements of the PHI De-Identification Standard to ensure that data sets do not provide any reasonable basis to identify an Individual.

6. Exceptions

   1. University schools, departments, clinics, programs, and functions that may collect Individually Identifiable Health Information for academic or research purposes but are not designated as a UHCC, are not subject to the requirements of this Policy or the HIPAA Privacy and Security Rules. Such information must be protected according to the Sensitive Data Policy, Sensitive Data Protection Standard, FERPA, and the Common Rule.
   2. Violations of this Policy do not include PHI disclosures made by whistleblowers that believe in good faith a UHCC has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the UHCC potentially endangers one or more patients, Workforce member, or the public provided the disclosure is to:
      1. A health oversight agency or public health agency authorized by law to investigate or otherwise oversee the conduct or conditions of a UHCC or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the UHCC; or,
      2. An attorney retained by or on behalf of the Workforce member for the purpose of determining legal options of the Workforce member with regard to the conduct described in Section 6.2.
   3. Violations of this Policy do not include PHI disclosures made to law enforcement related to an Individual who is the victim of a crime provided that:
      1. The Individual agrees to the disclosure; or,
      2. There is an official request for such information which represents that the information is needed to determine if a violation of the law has occurred, immediate law enforcement activity is dependent on the disclosure, and the UHCC determines the disclosure is in the best interest of the Individual.

7. Definitions

   1. “Authorized Disclosures” means the disclosures permitted under HIPAA Privacy Rule.
   2. “Availability” means the PHI is easily accessible.
   3. “Confidentiality” means the PHI is not disclosed without prior patient authorization and is only accessed by those who require access to perform their job functions.
   4. “Covered Functions” means functions that a UHCC performs which makes it a health plan, health care provider, or health care clearinghouse.
   5. “Health Care Operations” means certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of Treatment and Payment.
   6. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and all other regulations promulgated thereunder including:
      1. Privacy Rule means the standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, Subparts A and E.
      2. Security Rule means the Security Standards for Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
   7. “Individually Identifiable Health Information” is information, including demographic data, that relates to the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual; or, the past, present, or future payment for the provision of health care to the individual. Identifiers include: (A) Names; (B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code: (C) All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail address; (G) Social Security numbers; (H) Medical record numbers; (I) Health plan beneficiary numbers; (J) Account numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers and serial numbers; (N) Web Universal Resource Locators (URLs); (O) Internet Protocol (IP) address numbers; (P) Biometric identifiers, including finger and voice prints; (Q) Full face photographic images and any comparable images; and any other unique identifying number, characteristic, or code.
   8. “Integrity” means PHI has not been altered or destroyed in an unauthorized manner.
   9. “Payment” means the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.
   10. “Treatment” means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
   11. “Unauthorized Disclosure” means the acquisition, access, use or disclosure of PHI in a manner not permitted under this policy which compromises the privacy of the PHI as described in 45 C.F.R. Section 164.400 et seq.

8. Enforcement & Interpretation

   1. Any Workforce member who violates this Policy may be subject to appropriate disciplinary action.
   2. Any student who violates this Policy may be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
   3. Any individual affiliated with the University who has access to University Data and violates this Policy may be subject to appropriate disciplinary action, up to and including, termination of the individual’s relationship with the University.
   4. The University’s Chief Information Officer, supported by the Chief Information Security Officer and the Health Sciences Center Privacy Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
   5. Responsibility for interpretation of this Policy rests with the Chief Information Officer.

9. Authority & References

   1. BOG Governance Rule 1.11 Information Technology Resources and Governance
   2. All other University policies are also applicable to the electronic environment. Relevant institutional documents include, but are not limited to:
      1. HIPAA Hybrid Entity Designation Policy
      2. Sensitive Data Policy
      3. Sensitive Data Protection Standard
      4. PHI De-Identification Standard
      5. PHI Disclosure Standard
      6. PHI Protection Standard
      7. Faculty Handbook
      8. Code of Student Rights and Responsibilities (Code of Conduct)
      9. WVU Talent and Culture Policies
      10. UHCC Sanctions Procedure