POL 2.260 HIPPA Privacy Policy
Kirtland Community College (Kirtland) health benefit plans must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Title II regulations, issued by the Federal Department of Health and Human Services (HHS), as amended by The Health Information Technology for Economic and Clinical Health (HITECH) Act (Title XIII, Subtitle D of the American Recovery and Reinvestment Act (ARRA) of 2009).
The HITECH Act augments HIPAA’s privacy and security-related components and is an expansion of HIPAA rules and obligations. These regulations intertwine to ensure that the appropriate protocols are followed regarding data protection and breach notifications to avoid exposure to potential fines. How Kirtland complies with HIPAA and HITECH regulations will vary by health plan type and Kirtland’s involvement in plan administration functions.
HIPAA’s Title II “administrative simplification” requirements cover the privacy and security of individual health information used, transmitted, and retained by employer health plans and other covered entities and the electronic transmission of specific individual health data. This information is known as protected health information (PHI).
The four (4) main sets of HIPAA regulations, each part with differing effectiveness, can be viewed in Kirtland’s HIPAA procedures.
Health Plan Types Subject to HIPAA’s Privacy Regulations
- Major medical, pharmacy, and disease-specific policies (such as cancer coverage)
- Dental, vision, long-term care, mental health
- Some Employee Assistance Programs (EAPs)
- Health Flexible Spending Accounts (FSAs)
[1] Employers, third-party administrators (TPAs), life insurance plans, disability plans, workers’ compensation plans, and agencies are not covered entities. However, HIPAA regulations clarify that employers and their TPAs may be affected based on their roles as plan sponsors and business associates.
HIPAA Privacy Regulations – Impact on Kirtland
The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information (PHI), including individual medical records and sets limits and conditions on the uses and disclosures that may be made of such information. The Privacy Rule also gives individuals rights over their health information, including the right to examine and obtain a copy of their health records and request corrections.
PHI is health information that is created, received, or maintained by a covered entity, whether in print, orally, or electronically, and includes:
- “Individual identifiers” that identify an individual (or have components that could be used to identify the individual, and
- Is related to a past, present, or future physical or mental health condition or the provision of or payment for health care or genetic information.
Please note that not all HIPAA-related privacy and security incidents solicit an initiation of breach notification requirements under the HITECH Act.
Campus HIPAA Privacy Contacts Each campus, including the President’s Office, has a HIPAA Privacy Contact. The Grayling and Gaylord campus HIPAA Privacy Contact is the Human Resources Director.
Approved March 5, 2004
Revised September 21, 2023