Kirtland Community College enacts the following policy in compliance with the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”):
Covered Component: A college office or division subject to the HIPAA Privacy Rule.HIPAA: The Health Insurance Portability and Accountability Act of 1996, Pub.L.No. 104-191.Health Information: Information that relates to the past, present, or future physical or mental health or condition of an individual, or that relates to the provision of health care in the past, present or future.
Individually Identifiable Health Information: Health information and demographic information that identifies an individual or for which there is a reasonable basis to believe can be used to identify an individual.
Privacy Rule: HIPAA standards for privacy of individually identifiable health information at 45 CFR Parts 160, 162, and 164.
Protected Health Information (“PHI”): Individually identifiable health information that is used or maintained by a covered component regardless of form or how transferred. PHI excludes, among other things, individually identifiable health information in education records covered by FERPA, as amended, 20 USC 1232g, including records described at 20 USC 1232g(a)(4)(B)(iv). PHI further excludes college employment records, kept by the college in its role as an employer.
- DECLARATION OF POLICY AND DESIGNATION OF PRIVACY OFFICER
When applicable, the college will comply with HIPAA to maintain the privacy of PHI that it receives, obtains, transmits, or sends. The college designates as its privacy officer the coordinator of personnel & business services, or such other official as may be designated in writing by the president or board of trustees.
- OBLIGATIONS OF COLLEGE COVERED COMPONENTS TO NON-COVERED COMPONENTS
A covered component will:
- Notify non-covered components of any limitation(s) in the covered component’s notice of privacy practices, to the extent that such limitation may affect a non-covered component’s use or disclosure of PHI.
- Notify non-covered components of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect a non-covered component’s use or disclosure of PHI.
- Notify non-covered components of any restriction to the use or disclosure of PHI to which a covered component has agreed, to the extent that such restriction may affect a non-covered component’s use or disclosure of PHI.
- Not request that a non-covered component use or disclose PHI in any manner prohibited by HIPAA.
- Provide an opportunity for non-covered components to correct violations of the privacy rule.
- DEVELOPMENT OF PROCEDURES
The college shall develop administrative procedures necessary to comply with HIPAA.
Employee violation of this policy, or of administrative procedures developed thereunder, may subject the violator to disciplinary action for misconduct, in accordance with applicable college contracts, policies, and procedures.
- NO RETALIATION
The college will not intimidate, threaten, coerce, discriminate or retaliate against an individual for exercising any rights under, or participating in any applicable process established by, HIPAA and its privacy rule, provided the person has a good faith belief that the practice in unlawful, and the manner of opposition is in accordance with applicable law.
This policy shall be interpreted, and amended as necessary, to permit compliance with HIPAA privacy rule.
Approved March 5, 2004