HIPAA Policy
STATEMENT OF POLICY
Loyola University Chicago is not a HIPAA Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Loyola’s primary purpose is education; however, Loyola does have departments and human subject research activities that require protection under the HIPAA privacy rule. Loyola employs best practices to safeguard protected health information as a Non-Covered Entity and complies with the HIPAA Privacy Rule as well as the Illinois Personal Information Protection Act (IPIPA).
REASON FOR THIS POLICY
Loyola University Chicago endeavors to preserve the privacy, security, and confidentiality of the Protected Health Information and other records maintained by its various schools and departments at all of Loyola’s campuses. It strives to fulfill this responsibility in accordance with state and federal statutes and regulations. Further, Loyola acknowledges its general obligations of trust and confidentiality reposed in its employees and students who are responsible for protected health information at the University.
INDIVIDUALS AND ENTITIES AFFECTED BY THIS POLICY
Individuals who work in any areas of the university that handle protected health information listed on the HIPAA Privacy Rule website are affected by this policy.
CONTACTS
|
Subject |
Contact |
Telephone |
E-mail/Web Address |
|
Policy Clarification |
HIPAA Privacy Officer |
312-915-6400 |
hipaa-privacy@luc.edu |
|
All HIPAA Privacy Questions |
HIPAA Privacy Officer |
312-915-6400 |
hipaa-privacy@luc.edu |
|
All HIPAA Security Questions |
Chief Information Security Officer |
773-508-7373 |
datasecurity@luc.edu |
DEFINITIONS
HIPAA Privacy Rule
HIPAA Privacy Rule Protects the privacy of individually identifiable health information, called protected health information (PHI). A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being.
Business Associates
Persons or entities that provide services or assist the covered entity in the performance of an activity or function involving the use of Protected Health Information or other regulated activities.
Chief Information Officer (CIO)
The executive staff member who holds the position at Loyola University Chicago that is in charge of the information technology (IT) strategy and the computer systems required to support an enterprise's objectives and goals.
Chief Information Security Officer (CISO)
The staff member who holds the position with this title at Loyola University Chicago. As required by the HIPAA Privacy Rule, the individual responsible for the development and implementation of the policies and procedures required by the HIPAA Privacy Rule for Loyola University Chicago.
Health Information
Anything created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse that relates to the past, present or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to an individual.
HIPAA
The Health Insurance Portability and Accountability Act of 1996, which mandates significant change in the laws and regulations governing the provision of health benefits, the delivery and payment of health care services and the security and confidentiality of Individually Identifiable and Protected Health Information in written, electronic or oral formats.
Individually Identifiable Health Information
Information that identifies or reasonably can be used to identify the individual and relates to the:
- Past, present or future physical or mental health or condition of an individual;
- Provision of healthcare to the individual; or
- Past, present or future payment for the provision of health care.
Notice(s) of Privacy Practices
A document that specifies how a covered health care provider or covered health plan uses and discloses Protected Health Information and the rights of individuals related to this information.
HIPAA Privacy Officer
As required by the HIPAA Privacy Rule, the individual responsible for the development and implementation of HIPAA policies and procedures for Loyola University Chicago and who is the primary contact for receiving complaints and is able to provide further information about matters covered by the Notices of Privacy Practices.
Protected Health Information
Individually Identifiable Health Information, in any form, received or created as a consequence of providing health care services or health plan benefits (including demographic information). Protected Health Information may include information used for research purposes, if that information contains Protected Health Information.
Loyola Chicago and Loyola University Chicago
Any campus, unit, program, association or entity of Loyola University Chicago, including but not limited to Lake Shore Campus (LSC), Water Tower Campus (WTC), the Health Sciences Campus (HSC), Arrupe College of Loyola University Chicago, Cuneo Mansion and Gardens, Vernon Hills, Illinois and The Retreat and Ecology Campus in Woodstock, Illinois.
RESPONSIBILITIES
HIPAA Compliance Committee
Develop and implement procedures to ensure the security and privacy of Protected Health Information and ensure compliance with this policy and the HIPAA Privacy Regulations.
Work with the HIPAA Privacy Officer or his or her designee to review and implement appropriate procedures and train its personnel regarding said procedures. The HIPAA Privacy Officer must approve all procedures prior to implementation.
HIPAA Privacy Officer
Develop and implement policies and procedures to ensure the University complies with the HIPAA Privacy Regulations and breach notification regulations under the HITECH ACT.
Train all affected employees, students or others.
Receive, investigate and attempt to resolve any privacy complaints received by Loyola University Chicago.
Provide the content for the Notice(s) of Privacy Practices and distribute them to the University’s Covered Components that provide health care services and to Loyola’s covered health plans and their members.
Maintain an appropriate Privacy Complaint Form for University-wide use.
In consultation with legal counsel as needed, develop and distribute other appropriate forms required by the HIPAA Privacy Regulations. These include, but are not limited to, individual authorizations; appropriate Business Associate agreements; employee, visitor and student confidentiality agreements; limited data set agreements; and research authorizations.
Assign other persons as needed to assist with any of these responsibilities in his or her absence or unavailability.
Chief Information Security Officer
Develop, implement and oversee Loyola University Chicago’s compliance with the policies and procedures required by the HIPAA Privacy Rule. Although ultimate responsibility for compliance lies with the CIO, representatives from each department are responsible for implementation and maintenance of the specified requirements of the HIPAA Privacy Rule in their specific operation.
Assign other persons as needed to assist with any of these responsibilities in his or her absence or unavailability.
PROCEDURES
Notices of Privacy Practices
The HIPAA Privacy Officer will maintain Notices of Privacy Practices and distribute them to the University’s departments that use protected health information in their business activities.
Notice of Privacy Practices will be posted on the Loyola University Chicago HIPAA Privacy Rule website. Staff will be trained with the applicable notice(s) and will comply with the practices described in the notice(s).
REFERENCES
For further information about Protected Health Information at Loyola please see: http://www.luc.edu/hipaa.
For general HIPAA information U.S. Department of Health and Human Services:
https://www.hhs.gov/hipaa/index.html
For information on IPIPA please see:
http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67
HISTORY
July 10, 2017: Initial Policy
