Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Picture of UCCS Campus
Photo - UCCS Campus 

 

Overview – HIPAA Privacy and Security

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the use and disclosure of individually identifiable information or protected health information (PHI) created or received by covered entities.

The University of Colorado is a covered entity that has chosen hybrid status, meaning it is a single legal entity with components that are covered and non-covered under HIPAA. HIPAA Affected Areas refer to those units at UCCS that have access to PHI, as defined by HIPAA, because the unit is a designated healthcare component (healthcare provider or a health plan), provides services to covered components and as such receives PHI to perform those tasks, or uses PHI for education or research purposes. The designated health care components for UCCS can be found in Exhibit A of the “HIPAA Hybrid Entity Designation” Administrative Policy Statement.  The locations listed in Exhibit A are all considered covered entities and therefore all of these areas must comply with HIPAA rules and regulations.

Key Concepts:

HIPAA designated healthcare components must safeguard PHI during storage, use and disclosure. These safeguards apply to the Privacy and Security of the data and must include:

  • Administrative Safeguards (e.g. policies, procedures, training, contractual agreements)
  • Physical Safeguards (e.g. doors, privacy curtains, locking cabinets)
  • Technical Safeguards (e.g. password protected computers, encryption)

Patients have Rights to:

  • Notice of Privacy Practices (How their information may be used)
  • Inspect & copy PHI
  • Accounting of Disclosures (Record of disclosures of PHI for other than TPO & without their permission)
  • Request to Amend their record
  • Request for Confidential Communications
  • Request for Restrictions related to certain uses and disclosures
  • Give permission to allow certain uses and disclosures such as for research purposes
  • File a Complaint

Training and Education

CU: HIPAA Regulations - UCCS

  1. Select the Skillsoft tile on the home page
  2. Once in Skillsoft, select Library from the top of the screen and select UCCS or use the UCCS tile from the home page
  3. Select the HIPAA folder then select CU: HIPAA Regulations – UCCS and click LAUNCH

Frequently Asked Questions

The Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 14, 2003, the Privacy Rule protects the privacy of certain individually identifiable health information by establishing conditions for its use and disclosure by health plans, health care clearinghouses, and certain health care providers. It is designed to improve the efficiency and effectiveness of the health care system and requires many things, including the standardization of electronic patient health, administrative and financial data. In response to the original HIPAA law, Health and Human Services (HHS) published an additional regulation referred to as the Privacy Rule that relates directly to organizations involved in health care operations that transmit health information electronically.

The HIPAA Privacy Rule:

  • Establishes conditions under which PHI can be used within a Covered Entity and disclosed to others outside that entity;
  • Grants individuals certain rights regarding their PHI;
  • Requires that Covered Entities maintain the privacy and security of PHI.

HIPAA also establishes security and privacy standards for the use and disclosure of "protected health information" (PHI).

A covered entity is (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider (e.g., group practice, solo practitioner) that transmits any health information in electronic form in connection with health care transactions and (4) their business associates. The Privacy Rule allows covered entities to designate themselves as “hybrid entities” with selected parts subject to the requirements of the Privacy and Security Rules. University of Colorado is a covered entity that has chosen hybrid status. Therefore certain areas of the University have to comply directly with HIPAA. The UCCS HealthCircle Clinics are considered to be covered parts or covered healthcare components of the UCCS covered entity.

A covered entity can use and disclose PHI for Treatment, Payment and Health care Operations (TPO).

•Treatment  generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.

•Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.  In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:

  • Determining eligibility or coverage under a plan and adjudicating claims;
  • Risk adjustments;
  • Billing and collection activities;
  • Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
  • Utilization review activities; and
  • Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

•Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include:

  • Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;
  • Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
  • Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims
  • Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;
  • Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
  • Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. General Provisions at 45 CFR 164.506.

HIPAA does not consider Research part of health care operations and has created special rules for using PHI for research purposes.  For additional information related to research please click on the Privacy Board Tab on the Compliance Website. 

The UCCS Wellness Center is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though the Wellness Center employs school nurses, physicians, psychologists, or other health care providers, the center is not a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services.

No. All States have laws that require providers to report cases of specific diseases to public health officials. The HIPAA Privacy Rule permits disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness.

The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices.

Yes, provided the school is required by law to have proof of immunizations in order to admit the child, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure. See 45 CFR 164.512(b)(1)(vi). Where the individual who is a student or prospective student is an adult or emancipated minor, the provider may make the disclosure with the agreement of the student herself. In either case, the agreement may be obtained orally or in writing, but must be documented (e.g., by placing in the medical record a copy of a written request, or notation of an oral request, from a parent for the provider to disclose the proof of immunization to the school).

Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school. In addition, a covered health care provider may disclose proof of a student's immunizations directly to a school nurse or other person designated by the school to receive immunization records if the school is required by State or other law to have such proof prior to admitting the student, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure. See 45 CFR 164.512(b)(1)(vi).

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).

Yes.  As long as you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care.  Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object.  In any of these cases, your health care provider may discuss only the information that the person involved needs to know about your care or payment for your care. 

Here are some examples:

  • A provider may discuss your treatment in front of your friend when you ask that your friend come into the treatment room.
  • Your clinic may discuss your bill with your daughter who is with you at the clinic and has questions about the charges.
  • Your provider may talk to your sister who is driving you home from the clinic about your keeping your foot raised during the ride home.
  • Your provider may discuss the drugs you need to take with your health aide who has come with you to your appointment.
  • Your nurse may tell you that she is going to tell your brother how you are doing, and then she may discuss your health status with your brother if you did not say that she should not.

BUT:
Your nurse may not discuss your condition with your brother if you tell her not to.

Yes. Disclosures of protected health information in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization. Furthermore, the HIPAA Privacy Rule generally permits a covered entity to disclose protected health information to a family member or other person involved in the individual’s care. Where the individual is present during the disclosure, the covered entity may disclose protected health information if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual’s agreement to participate in group therapy or family discussions is a good basis for inferring the individual’s agreement.

No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions. State law (or other law) regarding health care powers of attorney continue to apply. The intent of the provisions regarding personal representatives was to complement, not interfere with or change, current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability to exercise the rights of, or make treatment decisions related to, an individual. The Privacy Rule provisions regarding personal representatives generally grant persons, who have authority to make health care decisions for an individual under other law, the ability to exercise the rights of that individual with respect to health information.

No. Your UCCS email account is not secure and encrypted therefore when sending PHI you must use FileLocker.

Here’s a link to UCCS’ FileLocker page: http://www.uccs.edu/helpdesk/faculty-and-staff/file-storage/filelocker.html

  • Ensure your computer is encrypted:
  • If you use a mobile device to access PHI, the device (regardless of ownership) must be encrypted
  • Do not store data on the hard drive.
  • If you use a laptop do not leave it in places where it can easily be taken.
  • If possible, do not remove PHI from the premises.

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).

Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited to:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

For more information on proper disposal of electronic PHI, see the HHS HIPAA Security Series 3: Security Standards – Physical Safeguards. In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88, Guidelines for Media Sanitization.

Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent health care and health information professionals are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity (and note that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).
For questions please contact:

UCCS Privacy Officer
Deborah O’Connor
719-255-3837
doconnor@uccs.edu
UCCS Security Officer
Thomas Conley
719-255-3211
tconley@uccs.edu

De-identified data are not subject to the requirements of the Privacy and Security Rules because the data are not individually identifiable and not considered PHI.  There are two ways to de-identify data:

  1. Safe Harbor Method – in which all of the following 18 elements are removed from a data set:
    1. Names
    2. Geographic info (including city and ZIP)
    3. Elements of dates (except year), ages over 89 years
    4. Telephone #s
    5. Fax #s
    6. E-mail address
    7. Social Security #
    8. Medical record, prescription #s
    9. Health plan beneficiary #s
    10. Account #s
    11. Certificate/license #s
    12. VIN and Serial #s, license plate #s
    13. Device identifiers, serial #s
    14. Web URLs
    15. IP address #s
    16. Biometric identifiers (finger prints)
    17. Full face, comparable photo images
    18. Unique identifying #s

If all of the 18 identifiers listed above are removed, the information is no longer

  1. individually identifiable,
  2. PHI, and
  3. Subject to HIPAA's requirements.
  1. Statistical Method – in which certification is provided by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable so that there is a ‘very small’ risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information.”   For more information see HHS Guidance for De-identification of Protected Health Information.

A data set may also be considered de-identified if an expert in statistical and scientific methods determines and documents that the methods used to de-identify or code the data present a very small risk that the information can be used alone or in combination with other reasonably available information to identify an individual.

"Anonymous" data are not necessarily considered de-identified under HIPAA. Anonymity under the federal Common Rule requires that individuals cannot be readily ascertained by the investigator and cannot be associated with the data. According to the Common Rule standard, anonymous data may retain dates of treatment. Under HIPAA's more stringent requirements, however, such data would be considered identifiable data.

Some studies may need to retain a limited number of identifiers and, thus, not meet the strict HIPAA definition of "de-identified data." However, these studies may present only minimal potential for identifying participants based on the data set. In such circumstances, HIPAA permits use of a "Limited Data Set" for research purposes. A Limited Data Set is PHI that excludes "direct identifiers" of the individual, relatives of the individual, employers, or household members.

A limited data set must exclude all direct identifiers such as:

  1. Names
  2. Street Addresses or P.O. Box Numbers
  3. Phone and Fax Numbers
  4. Email Addresses
  5. Social Security Numbers
  6. Medical Record Numbers
  7. Health Plan Numbers
  8. Account Numbers
  9. Certificate/Licenses Numbers
  10. Vehicle Identifiers/License Plates
  11. Device Identifiers
  12. Web URLS
  13. Internet Protocols (IP)
  14. Full Face Photos

A limited data set may include one or more of the following:

  1. Towns
  2. Cities
  3. States
  4. Zip Code and their equivalent geocodes. (Note that a zip code cannot be used if the area composing the zip code has less than 20,000 citizens.)
  5. Dates including birth and death
  6. Other unique identifying numbers, characteristics, or codes that are not expressly excluded as long as the unique identifier(s) cannot be used to identify a specific individual. (e.g. the four time NFL MVP would be a unique identifier that identifies only one individual, so could not be used)
  7. Relevant medical information

A Limited Data Set may be used only for purposes of research, public health, or health care operations. Under the Privacy Rule, use or disclosure of limited data sets for research purposes requires a "Data Use Agreement."

A Limited Data Set may be used only if the covered entity providing the data and the recipient of the data first enter into a Data Use Agreement. The investigator, the holder of the PHI, and their respective institutions, must sign Data Use Agreements, either for access to a Limited Data Set or for the release of a Limited Data Set. At UCCS, the Office of Legal Counsel and Compliance will assist with the completion of these agreements. These agreements must, among other things, establish the permitted uses and disclosures of the information included in the Limited Data Set and must provide that the recipient of the Limited Data Set will not identify the information or use it to contact individuals.

As with research conducted pursuant to an authorization, disclosure(s) of PHI that are part of a Limited Data Set need not be tracked for purposes of providing an accounting to an individual.

The HIPAA Privacy Rule states the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." The minimum necessary standard applies to all uses and disclosures for the purposes of payment, health care operations and research (it does not apply to treatment). Even if accessing PHI for research purposes pursuant to an authorization, the researcher must limit the amount of information requested in the authorization to the minimum necessary.

Under the HITECH Act it is further explains, if a covered entity does not comply with the minimum necessary standard it could be considered a Breach.

Health-related information is considered PHI if (any of the following are true):

  1. the researcher obtains the records directly from a health plan, health care clearing house, or health care provider;
  2. the records were created by any of the entities (aka Covered Entities) in "1" and the researcher obtains the records from an intermediate source; OR
  3. the researcher obtains it directly from the study subject in the course of providing treatment to the subject.

    Report a concern or have Questions

    UCCS Privacy Officer
    Deborah O’Connor
    719-255-3837
    doconnor@uccs.edu
    UCCS Security Officer
    Thomas Conley
    719-255-3211
    tconley@uccs.edu

    Forms

    Activities Preparatory to Research - Request for Waiver of Authorization Fill-In Form (PDF)
    Authorization to Release and/or Obtain Patient Information Fill-In Form (PDF)
    Authorization to Use or Disclose Identifiable Health Information for Research
    Approval of Request to Amend Medical or Billing Records (PDF)
    Business Associates Agreement
    Data Use Agreement (PDF)
    Denial of Request to Amend Healthcare Information Form (PDF)
    HealthCircle Notice of Privacy Practices (PDF)
    HIPAA Authorization for Release of Health Information – Media
    HIPAA Security Workbook
    HIPAA Walkthrough Checklist
    PHI Disclosure Accounting Log (PDF)
    Privacy Complaint Fill-In Form (PDF)
    Privacy - Security Incident Fill-In Form (PDF)
    Request for Alternate Means of Communication of Confidential Medical Information (PDF)
    Request for Amendment of Health Information Instructions and Fill-in Form (PDF)
    Request for Accounting of Disclosures of Protected Health Information Fill-in Form (PDF)
    Request for Waiver of Elements of Authorization or an Altered Authorization Fill-In Form (PDF)
    Request to Restrict Uses or Disclosures of Personal Medical Records (PDF)
    Request to View or Obtain Copy of Personal Medical Records (PDF)
    Required Representations for Research on Decedents Information Fill-In Form (PDF)
    Revocation of Authorization Fill-in Form (PDF)

    Policies

    For a complete PDF version of the UCCS HIPAA policy portfolio, please visit the UCCS Policy Webpage at:  https://www.uccs.edu/vcaf/sites/vcaf/files/inline-files/2018_AUG_21_100-020%20HIPAA%20Compliance%20Policy%28FINAL-APPROVED-link%20edits-11.30.18%29.pdf

    Policy Title: HIPAA Compliance Policy  
    Policy Number: 100-020 Policy Functional Area: Administration/Organization
    Effective:  
    Approved by: Venkat Reddy, Chancellor
    Responsible Vice Chancellor: Strategic Initiatives (VCSI)
    Office of Primary Responsibility: Compliance
    Policy Primary Contact: Compliance, 719-255-3837
    Supersedes: Not applicable
    Last Reviewed/Updated: Not applicable
    Applies to: Workforce members


    Reason for Policy: This policy was established to comply with the Health Insurance Portability and Accountability Act (HIPAA) for UCCS designated health care components.

     

    I. INTRODUCTION

    The University of Colorado Colorado Springs (“UCCS” or “University”) has adopted this HIPAA Compliance Policy to comply with the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013). We acknowledge that full compliance with the HIPAA Final Rule is required by or before September 23, 2013.

    II. POLICY STATEMENT

    • General. In general, HIPAA addresses protected health information (PHI) that is maintained or transmitted by a covered entity (CE). UCCS takes all actions required to comply with the HIPAA.
      1. UCCS hereby acknowledges our duty and responsibility to protect the privacy and security of individually identifiable health information (IIHI) generally, and PHI as defined in the HIPAA Regulations, under the regulations implementing HIPAA, and other federal and state laws protecting the confidentiality of personal information. UCCS also acknowledges our duty and responsibility to support and facilitate the timely and unimpeded flow of health information for lawful and appropriate purposes.
      2. UCCS shall develop and implement written privacy policies and procedures that are consistent with the HIPAA Rules and the UCCS Campus Policy Process. If necessary, each UCCS designated health care component will develop department/unit level policies and procedures.
    • Scope. The University of Colorado has a hybrid entity designation as defined below in the key terms. This policy applies to UCCS designated health care components and their workforce members as defined below in the key terms. The designated health care components for UCCS can be found in the University’s Administrative Policy Statement 5055: HIPAA Hybrid Entity Designation Exhibit A. All workforce members associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.
    • Compliance and Enforcement. UCCS and its designated health care components must comply with HIPAA, the HIPAA implementing regulations, in accordance with the requirements at 45 CFR Parts 160 and 164, as amended, and this policy. Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. All UCCS designated health care component directors and managers, as well as the privacy and security officers, are responsible for enforcing this policy.
    • Privacy and Security Personnel. UCCS will designate and maintain at all times an active privacy officer and security officer. The UCCS privacy officer and UCCS security officer are responsible for developing and implementing its campus-wide policies and procedures and training related to HIPAA. The privacy officer will serve as the contact person responsible for receiving complaints and providing individuals with information on UCCS designated health care components practices. The UCCS Director of Campus Compliance will sever as the privacy officer.
    • Workforce Training and Management. UCCS designated health care components shall train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their various functions.
    • Sanctions. UCCS and each designated health care component shall have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures, and/or HIPAA’s Privacy and Security Rules.
    • Mitigation. UCCS and each designated health care component shall mitigate, to the extent practicable, any harmful effect it learns was caused by its workforce or its business associates in violation of its privacy policies and procedures or the HIPAA Privacy Rule.
    • Data Safeguards. UCCS and each designated health care component shall maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional uses or disclosures of PHI in violation of HIPAA and its own policies, and to limit the incidental uses and disclosures pursuant to otherwise permitted or required uses or disclosures.
    • Complaints. UCCS and each designated health care component shall establish procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. UCCS designated health care components shall explain those procedures in its privacy practices notice.
    • Retaliation and Waiver. UCCS and each designated health care component shall not retaliate against a person for exercising rights provided by HIPAA, for assisting in an investigation by the federal or state government or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates any HIPAA standard or requirement. UCCS and each designated health care component shall not require an individual to waive any right under HIPAA as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
    • Documentation and Record Retention. UCCS and each designated health care component shall maintain, until at least six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, dispositions of complaints, and other actions, activities, and designations that the Privacy Rule requires it to be documented.
    • Attachments. The attachments in section IV of this policy may be amended as needed with written approval from the UCCS privacy officer, the UCCS security officer, and the Vice Chancellor responsible for compliance.

     


    III. KEYWORDS

    • Business Associate: a person or entity that creates, receives, maintains or transmits PHI to perform certain functions or activities on behalf of a CE or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services for a CE and the provision of the service involves the disclosure of PHI. 45 C.F.R. § 160.103. All Business Associate Agreements (BAAs)not in the template format must be reviewed by the UCCS privacy officer and the Office of University Counsel. Any breach of a BAA must be reported as soon as possible to the UCCS privacy officer.
    • Covered Entity (CE): a health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a covered transaction. 45 C.F.R. § 160.103
    • Covered Transaction: the transmission of information between two parties to carry out financial or administrative activities related to health care and includes the following transmissions:
      1. Health care claims or equivalent encounter information.
      2. Health care payment and remittance advice.
      3. Coordination of benefits.
      4. Health care claim status.
      5. Enrollment and disenrollment in a health plan.
      6. Eligibility for a health plan.
      7. Health plan premium payments.
      8. Referral certification and authorization.
      9. First report of injury.
      10. Health claims attachments.
      11. Health care electronic funds transfers (EFT) and remittance advice.
      12. Other transactions that the Secretary may prescribe by regulation. 45 C.F.R. § 160.103
    • Data Use Agreement (DUA): UCCS designated health care components may use or disclose a limited dataset (LDS) only if it obtains satisfactory assurance, in the form of a written DUA, that the LDS recipient will use or disclose the PHI for limited purposes. If the UCCS DUA template is not used, then the following components must be included in the agreement:
      1. Establish the permitted uses and disclosures of the LDS, which must be limited to the purposes of research, public health, or health care operations;
      2. Limit the LDS recipient to use or further disclose the PHI in the manner that the UCCS designated health care component may allow;
      3. Establish who is permitted to use or receive the LDS;
      4. Provide that the LDS recipient will:
        • Not use or further disclose the PHI other than as permitted by the agreement or as otherwise required by law;
        • Use appropriate safeguards to prevent use or disclosure of the PHI, other than as provided for by the agreement;
        • Report to the UCCS privacy officer any improper use or disclosure of the LDS not provided for by the agreement of which the LDS recipient becomes aware;
        • Ensure that any agents, including a subcontractor, to whom it provides the LDS agrees to the same restrictions and conditions that apply to the LDS recipient with respect to such PHI; and
        • Not identify the PHI or contact the patients.
      5. State that if the UCCS designated health care component becomes aware of a pattern of activity or practice of the LDS recipient that constitutes a material breach or violation of agreement, the UCCS designated health care component must take reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the UCCS designated health care component must:
        • Discontinue disclosure of the LDS to the recipient; and
        • Report the problem to the Secretary of the Department of Health and Human Services.
      All DUA’s not in the template format must be reviewed by the UCCS privacy officer and the Office of University Counsel. Any breach of a DUA must be reported as soon as possible to the UCCS privacy officer.
    • Designated Health Care Components: As a hybrid entity, the applicable HIPAA compliance obligations apply only to the University’s designated health care components.
      1. The designated health care components include:
        • Any component that meets the definition of CE if it were a separate legal entity;
        • Components only to the extent that they perform covered functions; and
        • Components that provide business associate services to components that perform covered functions.
      2. The designated health care components for UCCS can be found in Exhibit A of Administrative Policy Statement 5055 HIPAA Hybrid Entity Designation.
      3. Employee and Information Services in consultation with the Office of University Counsel shall review and amend Exhibit A as needed, but no less frequently than annually.
    • Designated Record Set: A group of records maintained by a UCCS designated health care component that is the medical and billing records about an individual and is used in whole or in part by the UCCS designated health care component to make decisions about the individual.
    • Electronic protected health information (ePHI): refers to any PHI that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and is produced, saved, transferred or received in an electronic form.
    • Health Care Component: A unit or combination of units designated by UCCS because they meet the definition of CE or business associate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) including all pertinent regulations (45 CFR Parts 160 and 164) issued by the U.S. Department of Health and Human Services as either have been amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5). This definition also includes the UCCS Health Circle Clinics and any other UCCS unit that falls within the definition of a business associate of the UCCS HealthCircle Clinics. UCCS health care components are identified in Exhibit A of Administrative Policy Statement 5055 HIPAA Hybrid Entity Designation.
    • Health Care Operations: Include but are not limited to the following activities:
      1. Quality assessment and improvement activities including:
        • Outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of studies resulting from such activities;
        • Patient safety activities;
        • Population-based activities relating to improving health or reducing health care costs; protocol development; case management and care coordination; contacting of health care providers and patients with information about treatment alternatives;
        • Reviewing the competence or qualifications of health care professionals;
        • Evaluating practitioner and provider performance;
        • Conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or to improve their skills as health care providers;
        • Training of non-health care professionals;
        • Accreditation, certification, licensing, or credentialing activities;
        • Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
        • Business planning and development;
        • Business management and general administrative activities of the UCCS designated health care components, including, but not limited to, management activities related to implementation of and compliance with HIPAA requirements, resolution of internal grievances, creating de- identified health information or a limited data set, and fundraising for the benefit of the UCCS designated health care component.
    • Health Information: Information created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university, or health care clearinghouse that relates to: an individual’s past, present or future physical or mental health or condition; the provision of health care to an individual; or payment for provision of health care to an individual.
    • HIPAA-Related Documentation: Documentation that contains protected heath information (PHI) or is required by UCCS HIPAA policies.
    • Hybrid Entity: A single legal entity that conducts both covered and non-covered functions and designates health care components in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(D). 45 C.F.R. § 164.103
    • Incidental Disclosure: A secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a result of another use or disclosure that is permitted by the Rule.
    • Limited Data Set (LDS): Use or disclose limited data sets of PHI without the need for a valid authorization for the purpose of research, public health, or health care operations, as long as the following conditions are met;
      1. That the purpose of the use and disclosure is limited to research, public health, or health care operations;
      2. That the use or disclosure complies with the Minimum Necessary Standard;
      3. The source of the PHI and the use or disclosure does not place an undue burden on UCCS designated health care component resources.
      An LDS consists of PHI that excludes the following identifiers of the individual, or of the individual’s relatives, employers, or household members:
      1. Names;
      2. Postal address information, other than town and city, State, and zip code;
      3. Telephone numbers;
      4. Fax numbers;
      5. Electronic mail addresses;
      6. Social security numbers;
      7. Medical record numbers;
      8. Health plan beneficiary numbers;
      9. Account numbers;
      10. Certificate/license numbers;
      11. Vehicle identifiers and serial numbers, including license plate numbers;
      12. Device identifiers and serial numbers;
      13. Web Universal Resource Locators (URLs);
      14. Internet Protocol (IP) address numbers;
      15. Biometric identifiers, including finger and voice prints; and,
      16. Full face photographic images and any comparable images.
      Before an LDS may be disclosed, a data use agreement must be in place between UCCS and the recipient of the LDS.
    • Minimum Necessary Standard: Applies when using or disclosing PHI, or when requesting PHI from others. A CE must take reasonable steps to limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The minimum necessary standard applies to all uses and disclosures for the purposes of payment, health care operations, and research (it does not apply to treatment). Even if accessing PHI for research purposes pursuant to an authorization, the researcher must limit the amount of information requested in the authorization to the minimum necessary.
    • Privacy Board: A review body that may be established to act upon requests for a waiver or an alteration of the authorization requirement under the Privacy Rule for uses and disclosures of PHI for a particular research study. A privacy board may waive or alter all or part of the authorization requirements for a specified research project or protocol. A CE may use and disclose PHI, without an authorization or with an altered authorization, if it receives the proper documentation of approval of such alteration or waiver from a privacy board.
    • Privacy Officer: is the UCCS Director of Campus Compliance who is responsible for managing the risks and business impacts of HIPAA privacy laws and policies. For detailed information, visit the Ethics and Compliance Website at https://www.uccs.edu/compliance/ or contact directly at comply@uccs.edu.
    • Protected Health Information (PHI): means individually identifiable health information transmitted or maintained in any form or medium that is created, collected, or received by the UCCS designated health care components, whether used for academic, administrative, research or health care purposes. PHI excludes individually identifiable health information in education records covered by Family Educational Rights and Privacy Act (FERPA) and in University employment records. The following are identifiers of the individual or of relatives, employers, or household members of the individual:
      1. Names;
      2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
        • The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
        • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
        • Currently, 036, 059, 063, 102, 203, 556, 592, 790, 821, 823, 830, 831, 878, 879, 884, 890, and 893 are all recorded as "000".
      3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
      4. Telephone numbers;
      5. Fax numbers;
      6. Electronic mail addresses;
      7. Social security numbers;
      8. Medical record numbers;
      9. Health plan beneficiary numbers;
      10. Account numbers;
      11. Certificate/license numbers;
      12. Vehicle identifiers and serial numbers, including license plate numbers;
      13. Device identifiers and serial numbers;
      14. Web Universal Resource Locators (URLs);
      15. Internet Protocol (IP) address numbers;
      16. Biometric identifiers, including finger and voice prints;
      17. Full face photographic images and any comparable images; and
      18. Any other unique identifying number, characteristic, or code,
      The CE does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
    • Research: A systematic investigation designed to develop or contribute to generalizable knowledge. (As defined by the National Institute of Health)
    • Security Incident: means an attempted or successful acquisition, unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, in a manner not permitted under the HIPAA Security Rule (45 CFR Part 160 and 164, Subpart C) which compromises the security or privacy of ePHI.
    • Security Officer: The UCCS information security officer who is responsible for the ongoing management of information security policies, procedures, and technical systems in order to maintain the confidentiality, integrity, and availability of all organizational healthcare information systems.
    • Workforce Member: As defined by the Privacy Rule, includes an employee, volunteer, trainee, contractor and other person whose conduct, in the performance of work for a UCCS designated health care component, is under the direct control of the University, whether or not paid by the University.

    IV. RELATED POLICIES, PROCEDURES, FORMS, GUIDELINES, AND OTHER RESOURCES

    • Administrative Policy Statements (APS) and Other Policies
      1. APS 2006 Retention of University Records
      2. APS 2027 Code of Conduct
      3. APS 5055 HIPAA Hybrid Entity Designation
      4. APS 6002 Electronic Communications
      5. APS 6005 IT Security Program
      6. APS 6010 Data Governance
      7. UCCS Policy 100-001: Campus Policy Process
      8. UCCS Policy 700-001: E-Mail as Official Means of Communication
      9. UCCS Policy 700-003: Information Technology Security
      10. UCCS Policy 700-004: Wireless Networks
      11. UCCS Policy 700-005: Computer Security Incident Response
      12. UCCS Policy 700-006: Computer and Electronics Disposal
      13. UCCS Policy 800-002: Social Media Policy
      14. Reporting and filing a complaint (see Compliance and Ethics Website)
    • Procedures
    • Forms
    • Guidelines
    • Other Resources (i.e. training, secondary contact information)
      1. American Recovery and Reinvestment Act (“ARRA”)
      2. Health Insurance Portability and Accountability Act (“HIPAA”)
      3. Health Information Technology for Economic and Clinical Health (“HITECH”)
      4. National Institute of Technology (“NIST”)
    • Frequently Asked Questions

    V. ATTACHMENTS

    Attachment Number Name Reference Brief Overview
    1 Policies and Procedures Policy
    General Requirement
    164.306; 164.316
    164.312(b)(1)
    164.530(i)
    Implement reasonable and appropriate P&Ps to comply with all standards, implementation specifications, or other requirements. P&P changes must be appropriately documented.
    2 HIPAA Documentation Policy (Retention) Requirement 164.530(j)(1)(ii)
    164.530(j)(1)(iii)
    164.312(b)(2)
    164.316
    Maintain all P&Ps in written (may be electronic) form. If an action, activity or assessment must be documented, maintain written (may be electronic) records of all.

    Retain all required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
    3 HIPAA Documentation Availability and Updating Policy Requirement 164.310
    164.316
    164.530(j)
    Make documentation available to those persons responsible for implementing the Policies and/or Procedures to which the documentation pertains.

    Review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of PHI.
    4 HIPAA Investigations Policy 160.308
    164.310
    164.312
    CEs and BAs must implement policies & procedures to assure compliance with HHS investigation & record keeping requirements.
    5 Breach Notification Policy 164.400 to 164.414 Requires CEs and BAs to comply with all Breach Notification requirements: risk analysis; determination of potential harm; notifications.
    6 HIPAA Training Policy 164.530(b) CEs and BAs must train all affected workforce members on their Policies & Procedures, as well as the basics of HIPAA, as needed.
    7 Patient Rights Policy 164.520 to 164.528 CEs (and BAs optionally) must implement policies & procedures to assure the lawful provision of Patient Rights as called for in HIPAA regulations
    8 PHI Uses and Disclosures Policy 164.502 to 164.514 CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures are in accord with HIPAA regulations
    9 Use and Disclosure for Research Purposes 164.508
    164.512 (i)
    164.514 (e)
    CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures related to research are in accord with HIPAA regulations
    10 Privacy Complaints Policy 164.530(d)
    164.530(a)
    CEs and BAs must establish methods and procedures to assure the proper handling of, and response to, all complaints received.
    11 Risk Management and Risk Analysis Policy Required 164.302 to 164.318
    164.308(a)(1)
    Establishes the overall Risk Management process that CEs and BAs must implement to meet Privacy & Security Rule compliance requirements.

    Conduct assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.

    Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).
    12 Sanction Policy Required Standard 164.308(a)(1) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
    13 Information System Activity Review (Required Standard) / Authorization and Supervision Policy (Addressable Standard) / Log-in Monitoring Policy (Addressable Standard) 164.308(a)(1)
    164.308(a)(3)
    164.308(a)(5)
    Implement procedures to regularly review information system activity: audit logs; access reports; and security incident reports; etc.

    Implement procedures for authorization and/or supervision of workers who work with ePHI or in locations where it might be accessed.

    Implement Procedures for monitoring and reporting log-in attempts and discrepancies.
    14 Workforce Clearance and Access/Termination Policy Addressable Standard 164.308(a)(3)
    164.308(a)(4)
    164.308(a)(3)
    Implement procedures to determine that the access of a workforce member to ePHI is appropriate, including for workstations, transactions, programs, processes, or other mechanisms.

    Implement procedures for terminating access to ePHI when the employment ends or as required by (a)(3)(ii)(B) of this section.
    15 HIPAA Security Reminders Policy Addressable Standard 164.308(a)(5) Implement periodic reminders of security and information safety best practices.
    16 HIPAA Malware Protection Policy Addressable Standard 164.308(a)(5) Implement Procedures for guarding against, detecting, and reporting malicious software.
    17 HIPAA Password Management Policy Addressable Standard 164.308(a)(5) Implement Procedures for creating, changing, and safeguarding appropriate passwords.
    18 HIPAA Security Incident Policy Required Standard 164.308(a)(6)
    164.400 to 164.414
    Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document security incidents and their outcomes.
    19 HIPAA Data Backup Policy Required Standard Data Backup and Storage Policy Addressable Standard 164.308(a)(7)
    164.310(d)(1-2)
    164.308(a)(7)
    Establish and implement procedures to create and maintain retrievable, exact copies of ePHI during unexpected negative events.
    The Data Backup Plan defines what data is essential for continuity after damage or destruction of data, hardware, or software. Risk Analysis determines what to backup.
    20 HIPAA Disaster Recovery Policy Required Standard 164.308(a)(7) Establish (and implement as needed) procedures to restore any loss of data.
    21 Emergency Mode Operation Policy Required Standard 164.308(a)(7) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode.
    22 Policy on Testing and Revision of Contingency and Emergency Plans and Procedures Addressable Standard 164.308(a)(7) Implement procedures for periodic testing and revision of contingency and emergency plans.
    23 Policy on Applications and Data Criticality Analysis Addressable Standard 164.308(a)(7) Assess the relative criticality of specific applications and data in support of other contingency plan components.
    24 Policy on Evaluating the Effectiveness of Security Policies and Procedures Required Standard 164.308(a)(8) Perform periodic technical & nontechnical evaluations, to establish how well security P&Ps meet the requirements of this subpart.
    25 Business Associates Policy Required Standard 164.308(b)(1)
    164.410
    164.502(e)
    164.504(e)
    CE’s must obtain, and BA’s must provide, written satisfactory assurances that all ePHI and PHI will be appropriately safeguarded.
    26 Contingency Operations Policy Addressable Standard 164.310(a)(1-2) Establish (and implement as needed) procedures that allow facility access to support restoration of lost data in the event of an emergency.
    27 Facility Security Policy Addressable Standard 164.310(a)(1-2) Implement P&P’s to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
    28 Access Control and Validation Policy Addressable Standard 164.310(a)(1-2) Implement procedures to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision.
    29 Maintenance Records Addressable Standard 164.310(a)(1-2) Implement P&Ps to document repairs and changes to physical elements of a facility related to security (hardware, walls, doors, locks, etc.).
    30 Workstation Use and Security Policy Required Standard 164.310(b-c) Implement P&Ps that specify the proper functions, procedures, and appropriate environments of workstations that access ePHI.

    Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
    31 Media Disposal and Re-Use (Required Standard)/Hardware and Media Accountability Policy (Addressable Standard) 164.310(d)(1-2) Implement P&Ps to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.

    Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.

    Maintain records of the movements of hardware and electronic media, and any person responsible therefore.
    32 Unique User Identification Policy Required Standard 164.306
    164.312(a)(1-2)
    Assign a unique name and/or number for identifying and tracking user identity.
    33 Emergency Access Policy Required Standard 164.104
    164.306
    164.312(a)(1)
    Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
    34 Automatic Log-Off Policy Addressable Standard 164.306
    164.312(a)(1-2)
    Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
    35 Encryption and Decryption Policy Addressable Standard 164.312(a)(1-2) Implement an appropriate mechanism to encrypt and decrypt ePHI.
    36 Audit Controls Policy Required Standard 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
    37 Data Integrity Controls Policy Addressable Standard 164.312(c)(1-2) Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
    38 Person or Entity Authentication Policy Required Standard 164.312(d) Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
    39 Data Transmission Security Policy Addressable Standard 164.312(e)(1) Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.

    VI. FORMS

    Form Number Name Reference Corresponding Attachment
    1 Business Associates Agreement Template 164.308(b)(1)
    164.410
    164.502(e)
    164.504(e)
    HIPAA Compliance Policy Attachment 5 Breach Notification
    2 Authorization to Release and or Obtain Patient Information 164.502 to 164.514 Attachment 7 Patient Rights Policy Attachment 8 PHI Uses and Disclosures Policy
    3 HIPAA Authorization for Release of Health Information – Media 164.502 to
    164.514
    Attachment 8 PHI Uses and Disclosures Policy
    4 Authorization to Use or Disclose Identifiable Health Information for Research 164.508
    164.512 (i)
    Attachment 9 Use and Disclosure for Research Purposes
    5 Request for Waiver of Elements of Authorization or an Altered Authorization 164.508
    164.512 (i)
    Attachment 9 Use and Disclosure for Research Purposes
    6 Activities Preparatory to Research Request for Waiver Form 164.508
    164.512 (i)
    Attachment 9 Use and Disclosure for Research Purposes
    7 Required Representations for Research on Decedents Information Form 164.508
    164.512 (i)
    Attachment 9 Use and Disclosure for Research Purposes
    8 Data Use Agreement   Attachment 8 PHI Uses and Disclosures Policy Attachment 9 Use and Disclosure for Research Purposes
    9 Notices of Privacy Practices 164.502 to
    164.514
    Attachment 7 Patient Rights Policy Attachment 8 PHI Uses and Disclosures Policy
    10 Privacy Complaint Form 164.530(d)
    164.530(a)
    Attachment 7 Patient Rights Policy Attachment 10 Privacy Complaints Policy
    11 Privacy - Security Incident Report 164.502 to 164.514 Attachment 13 Information System Activity Review/Authorization and Supervision Policy/Log-in Monitoring Policy
    12 Revocation of Authorization 164.502 to 164.514 Attachment 8 PHI Uses and Disclosures Policy Attachment 9 Use and Disclosure for Research Purposes
    13 Request for Accounting of Disclosures of Protected Health Information 164.502 to 164.514 Attachment 7 Patient Rights Policy
    14 Request for Amendment of Health Information 164.502 to 164.514 Attachment 7 Patient Rights Policy
    15 Approval of Request to Amend Medical or Billing Records 164.502 to 164.514 Attachment 7 Patient Rights Policy
    16 Denial of Request to Amend Healthcare Information 164.502 to 164.514 Attachment 7 Patient Rights Policy
    17 Request to Restrict Uses or Disclosures of Personal Medical Records 164.502 to 164.514 Attachment 7 Patient Rights Policy
    18 Request for Alternate Means of Communication of Confidential Medical Information 164.502 to 164.514 Attachment 7 Patient Rights Policy
    19 Request to View or Obtain Copy of Personal Medical Records 164.502 to 164.514 Attachment 7 Patient Rights Policy
    20 PHI Disclosure Accounting Log 164.502 to 164.514 Attachment 8 PHI Uses and Disclosures Policy
    21 HIPAA Walkthrough Checklist 164.502 to 164.514 Attachment 11 Risk Management and Risk Analysis Policy
    22 HIPAA Security Workbook 164.502 to 164.514 Attachment 11 Risk Management and Risk Analysis Policy

    *Note: Forms may change without notice. Please obtain the most current form from the Ethics and Compliance Website at https://www.uccs.edu/compliance/news/health-insurance-portability-and-accountability-act-1996-hipaa.

    Policies and Procedures Policy

    Attachment 1

    Scope of Policy

    This policy governs the establishment and maintenance of policies and procedures for UCCS and its designated healthcare components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. The University Administrative Policy Statement designates which UCCS components are designated health care components as per Exhibit A in the HIPAA Hybrid Entity Designation.
    2. It is the Policy of UCCS to develop and implement written privacy and security policies and procedures that are consistent with the HIPAA rules and the UCCS Campus Policy Process. If necessary, the UCCS healthcare component leadership will develop department/unit level policies and procedures
    3. All UCCS designated health care components policies and procedures shall be updated and amended as needed or as required by law and as suggested by good business practices and general business ethics.
    4. All UCCS designated health care components policies and procedures shall be distributed to, or made otherwise available to, the entire workforce.
    5. All UCCS designated health care components policies and procedures shall be regularly maintained and secured, and copies shall be stored offsite with other important business records for safe keeping.
    6. Al members of the workforce are required to read, understand, and comply with this and all other policies and procedures created and implemented by the UCCS and its designated health care components.

    Procedures

    1. UCCS shall create or revise its own HIPAA policies and procedures, consistent with all applicable HIPAA rules and regulations as well as with applicable state laws and statutes.
    2. The UCCS privacy officer and UCCS security officer will assume control of the campus HIPAA policies and procedures process.
    3. Legal counsel will be included to guide or review the policies and procedures creation/revision process and to intercede where necessary to ensure UCCS HIPAA policies and procedures meet all applicable HIPAA (and other)standards.
    4. UCCS shall internally publish its HIPAA policies and procedures, when complete, to its workforce members and shall provide appropriate training to members of its workforce on the interpretation and implementation of its policies and procedures.
    5. Each director/designate of UCCS designated health care components shall create or revise its own policies and procedures to ensure compliance with the UCCS HIPAA policies and procedures.
    6. Each director/designate of UCCS designated health care components shall maintain documentation on training of workforce related to the all HIPAA policies and procedures.

    Related Policies

    Campus Policy Process

    HIPPA Hybrid Entity Designation

    Reference

    45 CFR § 164.316

    45 CFR § 164.306(b)(2)(i), (ii), (iii), and (iv)

    HIPAA-Related Documentation Policy (Retention)

    Attachment 2

    Scope of Policy

    This policy governs the creation and maintenance of HIPAA-related documentation for UCCS and its designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components who work for or perform any services (paid or unpaid) must document all HIPAA-related activities that require documentation.
    2. All HIPAA-related documentation must be created and maintained in written form, which may also include electronic forms of documentation.
    3. HIPAA-related documentation shall be securely stored and maintained in a manner consistent with the HIPAA Privacy and Security Rule Standards.
    4. Any action, activity or assessment that must be documented, shall be documented in accordance with this and other policies and procedures implemented by the University and its designated health care components.
    5. All HIPAA-related documentation must be forwarded, used, applied, filed, or stored in accordance with this and other policies and procedures created and implemented by the University and its designated health care components.
    6. All required HIPAA-related documentation shall be securely and appropriately maintained and stored in accordance with HIPAA regulations and with the University, campus, and HIPAA policies on document retention.
    7. It is the Policy of the university to retain all HIPAA-related documentation for a minimum period of six (6) years from the date of its creation or modification, or the date when it was last in effect, whichever is later.
    8. HIPAA-related documentation shall be made available to those workforce members who have a legitimate need for it, and who are authorized to access it, according to current HIPAA standards.

    Procedures

    1. Each UCCS designated health care component is responsible for developing and maintaining departmental policies and procedures related to their documentation requirements and retention.
    2. Each UCCS designated health care component is responsible for maintaining documentation of their workforce training and education related to HIPAA (no less than six years).

    Related Policies

    Retention of University Records

    UCCS Retention Schedule

    Reference

    45 CFR § 164.31645

    CFR § 164.530(j)(ii),(iii),

    45 CFR § 164.312(b)(2)

    HIPAA-Related Documentation Availability and Updating Policy

    Attachment 3

    Scope of Policy

    This policy governs HIPAA-related documentation availability and updating for UCCS and its designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce. Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to make all HIPAA-related documentation available to those persons responsible for implementing the policies and/or procedures to which such documentation pertains
    2. All HIPAA-related documentation shall be distributed or made otherwise available to all workforce members who are affected by the documentation, or who require such documentation in the performance of their work-related duties.
    3. Workforce members affected by specific HIPAA-related documentation shall have access to such documentation prior to their beginning or executing work that depends on such documentation.
    4. No member of the workforce shall be held accountable for compliance with any HIPAA-related documentation, policies, or procedures unless they have access to such documentation.
    5. It is the Policy of UCCS and its designated health care components to review all HIPAA-related documentation periodically, and update such documentation as needed, in response to environmental or operation changes affecting the privacy or security of individually identifiable health information.
    6. Reviews of HIPAA-related documentation shall be made periodically, but at least annually, for the purposes of this policy
    7. Campus-wide reviews and updates of HIPAA-related documentation that occur as a result of this policy shall be made by the UCCS privacy officer or the UCCS security officer.
    8. Department-specific reviews and updates of HIPAA-related documentation that occur as a result of this policy shall be made by UCCS designated health care components leadership.

    Procedures

    1. Each UCCS designated health care component is responsible for the education of workforce members about documentation requirements for their area.
    2. Each UCCS designated health care component is responsible for determining if policies and procedures for their area are necessary related to documentation. If it is determined that department-specific policies and procedures are necessary, it is the responsibility of UCCS designated health care component leadership to maintain and update those policies and procedures.

    Related Policies

    Data Governance

    Information Technology Security

    IT Security Program

    Principals of Ethical Behavior

    Providing and Using Information Technology

    Responsible Computing

    Reference

    45 CFR § 164.310

    45 CFR § 164.316

    45 CFR § 164.530(j)

    HIPAA Investigations Policy

    Attachment 4

    Scope of Policy

    This policy governs HIPAA investigations for UCCS designated health care components. All workforce members of the UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of the University and UCCS designated health care components to fully comply with HIPAA law and with all HIPAA-related investigations conducted by Health & Human Services (HHS).
    2. It is the Policy of the University and UCCS designated health care components to not impede or obstruct any HIPAA-related investigations conducted by HHS.
    3. It is the Policy of the University and UCCS designated health care components to provide all documentation or assistance required by law in connection with any HIPAA-related investigations conducted by HHS.

    Procedures

    Workforce members who are designated to assist with HIPAA-related investigations conducted by HHS must adhere to the following procedures:

    1. Whenever a HHS investigation is discovered, the following persons must be immediately notified:
      1. Chancellor
      2. Privacy Officer
      3. Security Officer
      4. Office of University Counsel
      5. UCCS designated health care component's leadership
    2. Ask for the official government agency-issued identification of the investigators (business cards are NOT official identification); write down their names, office addresses, telephone numbers, fax numbers, and e-mail addresses. If investigators cannot produce acceptable I.D., call legal counsel immediately.
    3. Cooperate, but do not volunteer information or records that are not requested.
    4. Have at least one, if not two, witnesses available to testify as to your requests and their responses.
    5. Ask for the name and telephone number of the lead investigator’s supervisor, but only if, in your judgment, his/her demeanor indicates that you can ask such a question without engendering “hard feelings.” Under NO circumstances should you take any action to escalate tensions, except if you genuinely doubt the identity or authority of the investigators.
    6. Determine if there are any law enforcement personnel present (i.e., FBI, US Attorney investigators, State Prosecutor investigators, etc.). If law enforcement personnel are present, then the investigation is likely a criminal one, with much more severe penalties than may result from a civil investigation. If in doubt, ask.
    7. Permit the investigators to have access to protected health information (PHI) in accordance with our Notice of Privacy Practices form (NPP) and Federal and State law. Once investigators have verified their identities and have also verified their authority to access PHI, it is a violation of HIPAA to withhold PHI from them if the PHI sought is the subject matter of the investigation or reasonably related to the investigation. Again, ask investigators to verify that they are seeking access to the information because it is directly related to their legitimate investigatory purposes; and document their responses in your own written records.
    8. Have a witness with you when you ask about their authority to access PHI, and the use that they will make of the PHI they are seeking access to, who can later testify as to what they told you. Two witnesses are even better. All witnesses should also prepare a written summary of the conduct and communications they observed as soon as possible after the incident; these summaries should be annotated with the time and date of the event, the time and date that the summaries were completed, and the witnesses signature. A copy of the summary should be sent to the UCCS privacy officer.
    9. Send staff employees elsewhere, if possible, during this first investigation encounter. There is no requirement that we provide witnesses to be questioned during the initial phase of an investigation.
    10. Do NOT instruct employees to hide or conceal facts, or otherwise mislead investigators
    11. Ask the investigators for documents related to the investigation. For example, request:
      1. copies of any search warrants and/or entry and inspection orders
      2. copies of any complaints
      3. a list of patients they are interested in
      4. a list of documents/items seized
    12. Do NOT expect that investigators will provide any of the above, except for the search warrant and a list of documents/items seized (if any).
    13. Do not leave the investigators alone, if possible. Assign someone to “assist” each investigator present.
    14. Do not offer food (coffee, if already prepared, and water, if already available, is ok). Don’t do anything that could be construed as a “bribe” or a “kickback” to induce favorable treatment, such as offering to buy the investigators lunch.
    15. Tell investigators what you are required by law to tell them. Answer direct questions fully and to the best of your ability. Always defer to the advice of legal counsel if you are unsure of what or how much to say.

    Related Policies

    Code of Conduct

    Principals of Ethical Behavior

    Reference

    45 CFR § 160.308

    45 CFR § 164.310

    45 CFR § 164.312

    Breach Notification Policy

    Attachment 5

    Scope of Policy

    This policy governs breach notification for UCCS and its designated health care components. All workforce members of the UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of the University, UCCS, and its designated health care components to provide timely notifications to affected patients/clients or consumers about breaches of individually identifiable health information.
    2. UCCS designated health care components, in conjunction with the UCCS privacy officer and legal counsel, shall notify individuals when a breach is discovered. A breach is treated as “discovered” by the University the first day on which such breach is known or should reasonably have been known to any workforce member of the UCCS designated health care component, other than the person who committed the breach.
    3. Notification must occur without unreasonable delay and in no event later than 60 days from discovery of the breach, unless law enforcement requests a delay.

    Procedures

    1. Breach notices must include, at a minimum, a brief description of what happened, a description of the types of protected health information (PHI) involved, steps the individual should take to protect themselves from potential harm, a brief description of the actions taken in response to the breach, and contact procedures for the individual to ask questions.
    2. First class mail shall be the default method of notification. The University may use e-mail if requested by the individual, or substitute notice via the University website or local print or broadcast media if we do not have current contact information.
    3. The University must notify major local media outlets of a breach affecting more than 500 individuals.
    4. Business associates of the University are required to immediately report all breaches, losses, or compromises of individually identifiable health information – whether secured or unsecured – to the UCCS privacy officer.
    5. Business associate contracts, whether existing or new, shall have corresponding breach notification requirements included in them. Business Associates Agreement Template
    6. Sanctions or re-training shall be applied to all workforce members who caused or created the conditions that allowed the breach to occur, according to Attachment 12 Sanction Policy.
    7. All breach-related activities and investigations shall be thoroughly and timely documented.

    Definitions

    As used within the HIPAA Final (“Omnibus”) Rule, the following terms have the following meanings: Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under federal regulation which compromises the security or privacy of the PHI.

    1. Breach excludes:
      1. Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under federal regulation of this part.
      2. Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under federal regulation of this part.
      3. A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information
    2. Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of PHI in a manner not permitted under federal regulation is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
      1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
      2. The unauthorized person who used the PHI or to whom the disclosure was made;
      3. Whether the PHI was actually acquired or viewed; and
      4. The extent to which the risk to the PHI has been mitigated.

    Unsecured protected health information means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L. 111-5.

    Reference

    45 CFR § 164.400 to 164.41445

    HIPAA Training Policy

    Attachment 6

    Scope of Policy

    This policy governs HIPAA privacy and security training for the UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of the University, UCCS, and its designated health care components to provide clear and complete HIPAA training to all members of the workforce, including officers, agents, employees, contractors, students, temporary workers, and volunteers.
    2. HIPAA training provided by the university shall include relevant and appropriate aspects of both health data privacy and health data security, as it pertains to UCCS and its designated health care component’s operations and to the duties and responsibilities of specific individuals workgroups, departments, and divisions.

    Procedures

    1. HIPAA training, at a minimum, shall include: the basics of HIPAA itself, the basics of HIPAA’s privacy and security requirements and restrictions, and a review of relevant and appropriate internal policies and procedures related to HIPAA and HIPAA compliance.
    2. HIPAA training shall be provided to all new hires during the new employee orientation period, before new workforce members are exposed to or work with individually identifiable health information.
    3. Each UCCS designated health care component shall conduct required HIPAA training periodically for all employees, but no less than annually.
    4. Fostering ongoing, continuous HIPAA awareness shall be regarded as a separate type of workforce learning from regular HIPAA training. The UCCS privacy officer and the UCCS security officer, in conjunction with UCCS designated health care component leadership, shall be responsible for the development (or acquisition) and deployment of appropriate HIPAA awareness materials to maintain a high level of HIPAA awareness among the workforce.
    5. HIPAA training resources should aim to develop a general understanding of HIPAA and its requirements and restrictions. HIPAA awareness resources should aim to maintain a high level of HIPAA awareness, and a protective attitude toward confidential data on an ongoing, daily basis.
    6. It is highly recommended that all workforce members take the UCCS HIPAA training module on Skillsoft. For complete instructions on how to access this training please visit the UCCS Ethics and Compliance Website: https://www.uccs.edu/compliance/news/health-insurance-portability-and-accountability-act-1996-hipaa
    7. UCCS designated health care component leadership is responsible for documenting and tracking
      workforce members’ training.

    Reference

    45 CFR § 164.530(b)

    Patients Rights Policy

    Attachment 7

    Scope of Policy

    This policy governs the provision and management of patient rights for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    Clinical Record

    1. History and physical
    2. Orders
    3. Progress notes
    4. Lab reports (including contract lab)
    5. Vital signs
    6. Assessments
    7. Consults
    8. Clinical reports
    9. Authorizations and consents
    10. Prescriptions

    Source Clinical Data

    1. X-rays
    2. Images
    3. Fetal strips
    4. Videos
    5. Pathology slides

    External Record and Reports

    1. External records referenced for patient care: other providers’ records, records provided upon transfer
    2. Patient generated records
    3. Personal health records
    1. It is the policy of UCCS and its designated health care components to provide all of the patient rights to our patients that are called for in the HIPAA regulations. The provision of patient rights in a timely and positive manner can enhance the quality of care we provide to patients, by providing certain rights and controls to patients over their individually identifiable health information.
    2. Patient rights that the University provides and supports include:
      1. The right to receive a copy of our Notice of Privacy Practices form, which details how individually identifiable health information may be used or disclosed by the University (pursuant to section 1 of these procedures)..
      2. The right to request restrictions/confidential communications on the use or disclosure of the patient’s medical records (pursuant to section 3 of these procedures). Please see Request for Alternate Means of Communication of Confidential Medical Information form.
      3. The right to access or obtain a copy of medical records about the patient (pursuant to section 3 of these procedures), or about the patient’s minor children (pursuant to section 4 of these procedures). For specific information about protected health information (PHI) disclosures, please see Attachment 8 PHI Uses & Disclosures Policy
      4. The right to request amendments to medical records, with certain limitations (pursuant to section 5 of these procedures).
      5. The right to an accounting of certain disclosures of individually identifiable health information (pursuant to section 6 of these procedures).
      6. The right to file a Privacy Complaint form directly with us, or with the federal government. For specific information about complaints, please see Attachment 10 Complaints.
    3. Each UCCS designated health care component shall implement procedures that document and ensure that all patient rights are carried out appropriately.
    4. No retaliation of any kind is permitted against any person, patient, or workforce member for exercising any right guaranteed by HIPAA.
    5. Patient information related to patient rights includes only that information contained in each patient’s designated record set , which is defined in the HIPAA regulations at § 164.501 as:
      1. A group of records maintained by or for a covered entity that is:
        1. The medical records and billing records about individuals maintained by or for a covered health care provider;
        2. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
        3. Used, in whole or in part, by or for the covered entity to make decisions about individuals.
      2. The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity
    6. It is the policy of UCCS designated health care components that the University’s designated record set, for purposes of fulfilling HIPAA patient rights includes the following types or categories of data and items:
    7. It is the policy of UCCS designated health care components that the University’s designated record set, for purposes of fulfilling HIPAA patient rights excludes the following types or categories of data and items:
      1. Quality Improvement/Quality Measurement reports and abstracts
      2. Statistical data
      3. Committee minutes (not patient-specific treatment related)
      4. Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501
      5. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).

    Procedures

    1. Notice of Privacy Practices. A UCCS designated health care component that has a direct treatment relationship with an individual must provide the appropriate notice no later than the date of the first occurrence of any form of service delivery including service delivered 28 electronically provided that: 1) If the first service delivery occurs during an emergency treatment situation then the notice should be delivered as soon as practicable after the treatment; and 2) If the first service delivery occurs electronically, the provider must provide electronic notice automatically and contemporaneously in response to the individual’s first request for service.
      1. Except in emergency treatment situations, the UCCS designated health care component with a direct treatment relationship must make a good faith effort to obtain a written acknowledgement of receipt of notice from the individual.
      2. If the individual will not acknowledge receipt of the notice or will not accept the notice, the UCCS designated health care components must document good faith efforts to obtain acknowledgement and the reason why the individual would not acknowledge receipt of the notice or would not accept the notice.
      3. If the UCCS designated health care component maintains a physical service delivery site, the provider must:
        1. Have the notice available at the site for individuals to request to take with them; and
        2. Post the notice in a clear and prominent location.
      4. With reference to electronic device:
        1. The UCCS designated health care component must prominently post the notice on its websites and make the notice available electronically through the websites; and
        2. The UCCS designated health care component may provide the notice to an individual by e-mail if the individual has agreed to electronic notice and has not withdrawn his or her agreement provided however that:
          1. If the e-mail transmission fails and the failure is known to the insurance plan or provider, then a paper copy of the notice must be provided to the individual;and
          2. The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice upon request.
      5. Each UCCS designated health care component must retain copies of the notices issued by the UCCS designated health care component and any written acknowledgments of receipt or efforts made to obtain written acknowledgments. Such documentation must be retained as required by Attachment 2 Documentation Policy (Retention).
    2. Right to Request Restrictions/Confidential Communications.
      1. Restrictions.
        1. All requests for restrictions must be made in writing
        2. UCCS designated health care components must agree to a request for a restriction if:
          1. The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
          2. The PHI pertains solely to a health care item or service for which the individual or other person (other than a health plan on behalf of the individual) has paid the UCCS designated health care component in full.
        3. If a UCCS designated health care component does agree to a restriction, the UCCS designated health care components must not use or disclose PHI in violation of the restriction unless the individual who requested the restriction is in need of emergency treatment and the restricted PHI is needed to provide the emergency treatment. In these cases, the UCCS designated health care components may use the restricted PHI or may disclose the PHI to a health care provider to provide emergency treatment to the individual. If the restricted PHI is disclosed to a health care provider for emergency treatment, the UCCS designated health care component must request that the health care provider who reviews the restricted PHI not further use or disclose the information
        4. A restriction agreed to by a UCCS designated health care component under this policy is not effective to prevent uses or disclosures of PHI required by the Secretary of Health and Human Services or as required or permitted by state or federal law.
        5. A UCCS designated health care component may terminate its agreement to a restriction if:
          1. The individual agrees to or requests the termination in writing;
          2. The individual orally agrees to the termination and the oral agreement is documented; or
          3. The UCCS designated health care component informs the individual that it is terminating its prior agreement to a restriction. However, such termination is not effective:
            1. For PHI created or received before the individual has been informed of the termination; and
            2. For PHI with respect to which the UCCS designated health care components must agree to a restriction as described above.
      2. Confidential Communications. The following are conditions on receiving and responding to requests for confidential communication of PHI by alternative means or at alternative locations:
        1. All requests for alternative communications must be submitted to the UCCS designated health care component in writing using the Request Form Template: Alternate Communication of PHI. Written requests must include the following information:
          1. The patient’s name, date of birth and social security number if required;
          2. The specific means or alternative locations for contact that are desired;
          3. What communications of PHI are involved; and
          4. How the patient intends to pay for the costs of the alternative communication.
        2. Reasonable means of communication may include but are not limited to: transmission via fax, encrypted e-mail, courier service, or overnight express mail delivery. The individual making the request will be informed of his or her responsibility to pay for any charges incurred.
        3. Reasonable alternative locations may include but are not limited to: transmissions of PHI to work addresses (physical or electronic), a friend’s address (physical or electronic), or post office boxes
        4. All other reasonable requests to have communications of PHI sent by specific means or to alternative locations will be granted. An explanation for such requests is not required. A request that no communication of PHI be made is not reasonable and will not be granted.
        5. Any request for alternative communications that does not include a reasonable means for obtaining payment for the service will be denied.
        6. The director/designate of the UCCS designated health care component at which the request is being made is authorized to grant requests to receive confidential communications by specific means or at alternate locations
        7. The director/designate of the UCCS designated health care component at which the request is being made will inform the individual making the request whether the request is granted or denied. If the request is denied, the individual will be informed of the reason for the denial and, if applicable, any alterations to the request that will allow it to be granted
        8. All requests for alternative communications will be documented in the individual’s medical record with a notation of the status of the request and will be maintained permanently in the individual’s medical record. If the request does not apply to the entire medical record, the request will note and identify the specific information that is restricted.
        9. If the PHI that is subject to the restriction was released to a business associate, the business associate will be informed of the request for communications by specific means or to alternative locations.
        10. If a request is granted, UCCS designated health care component personnel must appropriately document the provision of PHI by alternative means or at an alternative location and accommodate the request. Such documentation must be retained as required by Attachment 2 Documentation Policy (Retention)
    3. Right to access or obtain a copy.
      1. General right. An individual has a right to inspect and/or obtain a copy of PHI about the individual in a UCCS designated health care component’s designated record set (see above), as long as the PHI is maintained in the designated record set, except for:
        1. Psychotherapy notes, unless approved by the originator of the notes or the successor of the originator;
        2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or other legal proceeding, unless otherwise approved by legal counsel;
        3. UCCS designated health care components, acting under the direction of a correctional institution may deny access, in whole or part, to an inmate’s request to obtain a copy of PHI, if obtaining such copy would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible party for the transporting of the inmate
        4. If the PHI was collected during the course of research treatment and the individual previously consented to non-access during the term of research and was informed that his or her right to access the information would be reinstated upon completion of the research. Refer to Attachment 9 Use and Disclosure for Research Purposes.
        5. If the PHI was obtained from another person or entity (not a health care provider)under the promise of confidentiality and allowing access would be reasonably likely to reveal the source of the PHI
        6. PHI maintained by the UCCS designated health care component that is:
          1. Subject to the Clinical Laboratory Improvements Amendments of 1988 (“CLIA”) to the extent the provision of access to the individual would be prohibited by law; or
          2. Exempt from CLIA pursuant to 42 C.F.R. 493.3(a)(2);
      2. Requesting to Inspect and/or to Obtain a Copy
        1. of his or her PHI in a UCCS designated health care component’s designated record set to any healthcare professional employed by the UCCS designated health care components. If the request was not made in writing, the person to whom the request was made must inform the individual of the requirement that requests be in writing. The Authorization to Release and/or Obtain Patient Information form can be used or Request Form Template: View or Copy PHI.
        2. All requests to inspect or to obtain a copy of PHI will be directed to or submitted by the person receiving the request immediately to the director/designate of the UCCS designated health care component.
        3. Upon receipt of a written request, the director/designate of the UCCS designated health care component will either permit or deny access. Denials of access must be in writing and must follow the provisions outlined below
        4. All requests for access must be acted on no later than 30 days after receipt of the written request from the patient.
        5. The director/designate of the UCCS designated health care component should maintain a copy of the completed request form and any documentation relating to any action taken on the request.
      3. Granting a Request to Inspect and/or to Obtain a Copy. If the director/designate of the UCCS designated health care component grants the request, in whole or in part, he or she must inform the individual of the acceptance of the request and provide the access requested by arranging with the individual for a convenient time and place to inspect the PHI. The individual should be provided with access to the PHI in the form or format requested by the individual, if reasonable. If the form or format requested is unreasonable, access may be provided by sharing copies of the information with the individual in some other form or format agreed to by both the UCCS designated health care component and the individual
        1. If the individual agrees in advance to receive a summary of the PHI requested and to accept the fees, if any, associated with creating a summary, the director/designate of the UCCS designated health care component may provide a summary of the PHI instead of providing access to the PHI itself.
        2. If the individual requests copies of the information, the director/designate of the UCCS designated health care component should arrange for the provision of copies within the time limits provided above. The director/designate of the UCCS designated health care component should arrange with the individual for a convenient time and place for the individual to pick up the information or for the information to be mailed. The director/ designate of the UCCS designated health care component may impose a reasonable, cost based fee for copying and may require reimbursement of the costs of any postage associated with the request.
      4. Denial of Access. The UCCS designated health care component may deny access under the following circumstances:
        1. A licensed health care provider has determined that access is reasonably likely to endanger the life or physical safety of the patient or another person.
        2. The PHI refers to another person (not a health care provider) and a licensed health care professional has determined that access is reasonably likely to cause substantial harm to that person.
        3. The person requesting the PHI is the personal representative of the patient and a licensed health care professional has determined that access is reasonably likely to cause substantial harm to the patient or another person.
        4. The patient’s access to the PHI could be psychologically harmful to the patient.
      5. Process for Denial of Access: If a request for access to PHI is denied, in whole or in part, the director/designate of the UCCS designated health care component must:
        1. To the extent possible, give the individual access to any other PHI requested after excluding the PHI to which access was denied;
        2. Provide a timely, written denial to the individual which must:
          1. Be in plain language;
          2. Contain the basis for the denial;
          3. If applicable, contain a statement of the individual’s review rights as provided in paragraph E below, including a description of how the individual may exercise the review rights; and
          4. Contain a description of how the individual may complain internally about UCCS HIPAA policies and procedures, compliance with HIPAA policies and procedures, or HIPAA compliance in general as described in Attachment 10 Privacy Complaints Policy.
        3. If the director/designate of the UCCS designated health care component has denied the request for access because the UCCS designated health care component does not maintain the PHI that the individual has requested and the UCCS designated health care component knows where the information is maintained, the director/designate of the UCCS designated health care component must inform the individual where to direct his or her request for access.
      6. Unreviewable Grounds for Denial. The director/designate of the UCCS designated health care component may deny an individual access to his or her PHI without providing the individual an opportunity for review by the UCCS privacy officer or legal counsel in the following circumstances:
        1. The PHI is excepted from the right to access pursuant to this policy;
        2. The individual has requested access to PHI created or obtained by the UCCS designated health care component in the course of research that includes treatment, the research is in progress, the individual has agreed to a denial of access when consenting to participate in the research that includes treatment, and the UCCS designated health care component has informed the individual that the right of access will be reinstated upon completion of the research;
        3. The individual has requested access to PHI that is contained in records that are subject to the Privacy Act, 5 U.S.C. section 552a, and access may be denied under the provisions of the Privacy Act; or
        4. The individual has requested access to PHI that was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
      7. Reviewable Grounds for Denial. The director/designate of the UCCS designated health care component may deny an individual access in the following circumstances:
        1. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
        2. The PHI makes reference to another person (other than a health care professional) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the other person; or
        3. The request for access is made by the individual’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to the personal representative is reasonably likely to cause substantial harm to the individual or another person.
        4. If access is denied pursuant to this policy, the individual has the right to have the denial reviewed by the UCCS privacy officer and legal counsel. Requests for review must be immediately referred to the UCCS privacy officer. The reviewing parties must determine within a reasonable period of time whether to grant or deny access. The reviewing parties’ determination must be promptly provided to the individual in writing, and the UCCS designated health care component must take action to carry out the determination
    4. Privacy Rights of Minors. Although minors do not generally have the authority to exercise rights on their own behalf, state law and the HIPAA Privacy Rule provide minors with the authority to exercise control over certain categories of their own PHI
      1. General. UCCS designated health care components will respond appropriately to minors' requests to keep certain categories of their PHI confidential and to exercise the rights 33 granted to patients by the HIPAA Privacy Rule in accordance with state and federal laws and regulations
      2. Minor's Right to Consent to Certain Treatment. A minor may seek and receive the following types of health care services independently from the minor’s parent(s) or legal guardian, meaning parental consent is not required:
        1. HIV/AIDS testing and treatment;
        2. Testing and treatment for venereal and sexually transmissible diseases(STDs);
        3. Pregnancy and pre-natal care;
        4. Chemical dependency services (both alcohol and drugs); and
        5. Birth control services. Except where child abuse or neglect are concerned, abortion procedures may not occur until 48 hours after the parent(s) or legal guardian has been notified in writing. However, a minor may elect to not allow notification with a proper court order.
      3. Minor’s Right to Consent Under Special Circumstances. A minor may seek and receive health care services independently from the minor’s parent(s) or legal guardian under the following circumstances:
        1. Emancipated. A minor is emancipated:
          1. By court order, or
          2. By contracting a lawful marriage, or
          3. . If the minor is 15 years of age or older and is living separate and apart from the minor’s parent(s) or legal guardian, with or without the consent of the minor’s parent(s) or legal guardian, and is managing the minor’s own financial affairs, regardless of the source of the minor’s income.
          4. Emancipated minors may give consent to organ or tissue donation or consent to hospital, medical, dental, emergency health, and surgical care to him/herself.
        2. Mental Health Services. A minor who is 15 years of age or older may independently consent to mental health services but may not necessarily independently consent to disclose the minor’s PHI in this circumstance. A health care provider may, with or without the consent of the minor, advise the parent(s) or legal guardian of the services given or needed.
        3. Sexual Assault. A minor may consent to medical treatment for sexual assault.
        4. Parent. A minor who is a parent may request and consent to organ or tissue donation of the minor’s child or the furnishing of hospital, medical, dental, emergency health, and surgical care to the minor’s child or ward.
        5. Abuse. If the health care provider reasonably believes the minor has been or is subject to domestic violence, abuse, and/or neglect, the health care provider must make a reasonable effort to notify the parent(s) or legal guardian before treatment
      4. Except when the minor seeks mental health services, the minor's parent(s) or legal guardian does not have the right to the minor's PHI if the minor alone consented to the treatment, unless the minor authorizes the release. Refer to Attachment 8 PHI Uses and Disclosures Policy
      5. Colorado law applies. For example, if a minor whose residence is the state of Texas comes to UCCS’s primary care clinic, the laws of the state of Colorado concerning minors apply.
      6. Any questions about whether a minor's PHI is confidential, or whether access should be made available to the minor's parent(s) or legal guardian, should be directed to the minor's health care provider or the UCCS privacy officer.
    5. Right to Amend. UCCS designated health care components must provide an individual with an opportunity to request that a UCCS designated health care component amend PHI maintained in the designated record set. Except as specifically limited by this policy, individuals will be allowed to amend PHI maintained in their medical or billing records.
      1. However, amendments may be denied in the following circumstances:
        1. UCCS did not create the record that the individual seeks to amend.
          1. A request for the amendment of PHI that was not created by a UCCS designated health care component will be considered if the individual submits reasonable evidence of the non-existence or non-availability of the person or facility that created the PHI. Such requests will be granted only if they do not fall into another category listed for denial.
        2. A UCCS designated health care component does not maintain the information as part of the individual’s medical record or designated record set
        3. After reviewing the request and the PHI that is the subject of the request, the UCCS designated health care component determines that the PHI is accurate and complete as recorded in the medical record or designated record set
        4. The PHI is the type that would not be available to the individual for inspection. PHI not available for inspection includes:
          1. Psychotherapy notes;
          2. Certain drug and alcohol information;
          3. PHI compiled in anticipation of or for use in civil, criminal or administrative proceedings;
          4. PHI pertaining to participation in ongoing research programs, provided the individual previously signed an agreement to forego access to the individual’s PHI during the term of the study;
          5. PHI obtained from someone other than a healthcare provider under a promise of confidentiality, if allowing access would be reasonably likely to reveal the source of the PHI;
          6. PHI that is reasonably likely to endanger the life or physical safety of the individual or anyone else;
          7. PHI that makes reference to another person and the individual’s (or representative’s) access to that PHI would be reasonably likely to cause harm to that person;
          8. PHI sought by a representative of the individuals, if access by the representative would cause substantial harm to the individual or another individual.
      2. UCCS designated health care components will incorporate any amendments to PHI made by another covered entity if the UCCS designated health care component is notified of the amendment and the same PHI was also disclosed to the UCCS designated health care component.
      3. All requests to amend an individual’s medical record will be forwarded to the director/designate of the UCCS designated health care component in which the record resides
        1. The director/designate of the UCCS designated health care component will handle all inquiries regarding the amendment of PHI. Upon request, the director/designate will provide any individual or individual’s representative with a Request for Amendment of Health Information form
        2. Upon receipt of a complete Request for Amendment of Health Information form, the director/designate of the UCCS designated health care component will forward the request and the record in question to the originator of the medical record. The director/designate of the UCCS designated health care component will ensure the timely receipt of determination. The director/designate will notify the UCCS privacy officer when a determination is not made within 60 days of the original request. The originator of the medical record (the “originator“) will review the PHI in conjunction with the request, consulting with legal counsel as necessary. Within 10 days of receipt of the request, the originator will submit a preliminary determination to the director/designate, who will review and make a final determination on the request.
        3. If the originator of the PHI is not available, the amendment will be reviewed by a committee made up of: the director/designate of the UCCS designated health care component in which the request is being made; legal counsel; UCCS privacy officer; a Chancellor appointee; and other members as deemed necessary. This committee will accept or reject the request for amendment.
      4. If the request to amend PHI is granted, the Approval of Request to Amend Healthcare Information form will be sent to the individual with a copy of the Authorization to Release and or Obtain Patient Information form. A copy of the Approval of Request will be filed in the individual’s medical record.
      5. If the request to amend PHI is denied, a Denial of Request to Amend Healthcare Information form will be sent to the individual. A copy of the Denial of Request will be filed in the individual’s medical record.
      6. If the individual replies to the Denial of Request to Amend Healthcare Information, the written rebuttal will be included in the individual’s medical record. All future disclosures of the PHI at issue will include the rebuttal statement. If the patient requests in writing that the request for amendment be included in all future disclosures of the relevant PHI, such requests will also be added to the individual’s medical record and all future disclosures will include the request for amendment
    6. Right to Receive an Accounting.
      1. Upon written request, the UCCS designated health care component shall provide an individual with an accounting pursuant to this policy. The Request for Accounting of Disclosures of Protected Health Information form is available for the individual to complete.
      2. UCCS designated health care components shall provide an accounting for the following disclosures of PHI:
        1. To health oversight agencies, see Addendum A to this policy for complete list;
        2. For public health activities, see Addendum A to this policy for complete list;
        3. For research-related treatment;
        4. Other disclosures not included as an exception listed below
      3. An accounting will not be provided for the following:
        1. Disclosures made for treatment, payment, and healthcare operations;
        2. Disclosures made to the individual;
        3. Disclosures made for the patient directory;
        4. Disclosures made to persons involved in the individual’s care including disclosures made to family members;
        5. Disclosures made for national security or intelligence purposes;
        6. Disclosures to correctional institutions or law enforcement officials in custody of an inmate or suspect;
        7. Disclosures made pursuant to an authorization signed by the individual;
        8. Disclosures that are part of a limited data set;
        9. Incidental disclosures as defined by Minimum Necessary Standards;
        10. Disclosures of de-identified information
      4. An individual is entitled to one accounting per year at no charge. If an individual requests more than one accounting per twelve (12) month period, the individual will be charged a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12 month period.
      5. The UCCS designated health care component that received a written request for an accounting shall respond to the request within 60 days unless an extension of no more than 30 days is requested.
      6. An individual’s right to receive an accounting may be suspended for a specified period of time as a result of a request from a health oversight agency or a law enforcement individual
      7. The accounting must include the following information:
        1. All disclosures (not including those excepted from disclosure as described in section IV above) for a 6-year period prior to the receipt of the request, but not before April 14, 2003, including disclosures by or to business associates;
        2. Dates of the disclosures;
        3. Recipients with addresses, if known;
        4. Description of the PHI disclosed;
        5. Purpose of the disclosure;
        6. For multiple disclosures to the same recipient for the same purpose, the requisite information described above for the first disclosure, the frequency or number of disclosures made, and the date of the last disclosure; and
        7. For disclosures made for a research purpose for 50 or more individuals, as described in Attachment 9 Use and Disclosure for Research Purposes: the name of the activity; a description of the activity; a description of the type of PHI disclosed; the period during which the disclosures occurred; the name and contact information for the entity and researcher to which the PHI was disclosed; and a statement that the PHI may or may not have been disclosed for a particular research activity. If it is reasonably likely that the PHI may have been disclosed for a particular research activity and the individual so requests, the UCCS designated health care component shall assist the individual in contacting the research sponsor and the researcher
      8. The UCCS designated health care component must maintain documentation that includes the information required to be included in the accounting, the persons or offices responsible for providing the accounting, and any accounting provided in response to a request.

    Reference

    45 CFR § 164.520 to 164.528

    45 C.F.R. §164.522(a)

    C.R.S. § 13-22-102 Minors-consent for medical care and treatment for addiction to or use of drugs

    C.R.S. § 13-22-103 Minors-consent for medical, dental, and related care

    C.R.S. § 13-22-103.5 Minors-consent for medical care-pregnancy

    C.R.S. § 13-22-105 Minors-birth control services rendered by physicians

    C.R.S. § 12-37.5-104 Notification concerning abortion

    C.R.S. § 12-37.5-107 Judicial Bypass

    C.R.S. § 12.37.5-105 No notice required-when.

    C.R.S. § 27-10-103 Voluntary applications for mental health services

    C.R.S. § 13-22-106 Minors-consent-sexual offense

    Planned Parenthood of Rocky Mountains v. Owens, 287 F.3d 910 (10th Cir. 2002)

    45 CFR 164.502(g)(3)(i) Un-emancipated minors.

    Addendum A: List of Possible PHI Disclosures


    Any protected health information (PHI) disclosures made under these circumstances or to these agencies
    must be tracked.


    Public Health Authorities
    • Surveillance
    • Investigations
    • Interventions
    • Foreign governments collaborating with US public health authorities
    • Recording Deaths
    • Child Abuse
    • Elder Abuse
    • Prevent Serious Harm
    • Communicable Disease (see Colorado Board of Health’s Reportable Diseases below)


    Food and Drug Administration
    • Adverse events, serious side effects, product defects or biological product deviations
    • Track products
    • Enable product recalls, repairs, or replacements
    • Conduct post marketing surveillance
    • Manufactures of defective products


    Employer
    • To employer requesting healthcare be provided to their employee
    • Medical surveillance
    • Work related injury or illness
    • Occupational Safety and Health Administration (OSHA) regulations or similar state law


    Health Oversight
    • Government benefit program
    • Civil rights laws
    • Vital statistics


    Judicial and Administrative Proceedings
    • Court order
    • Subpoena
    • Law Enforcement not in custody of an inmate or suspect
    • As required by law
    • Court order, court ordered warrant, subpoena or summons
    • Administrative request
    • Locating a suspect, fugitive, material witness or missing person
    • Emergency treatment, crime is not on premises
    • Victims of crime (for example child and elder abuse, certain wounds incurred with domestic
    violence)
    • Crimes on premises
    • Suspicious deaths
    • Avert a serious threat to health or safety


    Specialized Government Functions
    • Military and Veterans activities
    • Protective services
    • Department of State: Medical Suitability
    • Government programs providing public benefits
    • Foreign military personnel


    Workmen’s Compensation
    • Comply with Colorado Law


    Colorado Department of Public Health & Environment
    For the most up-to-date information on communicable and environmental conditions that must be
    reported to the Colorado Department of Public Health & Environment please click here:
    https://drive.google.com/file/d/1n-OfQQJMwLTvsPkXs9ArMQzoBLEDiKRN/view


    For additional reporting information, please visit the Colorado Department of Public Health &
    Environment’s website: www.colorado.gov/cdphe/report-a-disease

    PHI Uses and Disclosures Policy

    Attachment 8

    Scope of Policy

    This policy governs the permitted uses and disclosures of protected health information (PHI) for UCCS designated healthcare components. All workforce members of UCCS designated healthcare components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated healthcare components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the policy of UCCS and its designated healthcare components to conduct its operations in full compliance with HIPAA rules governing uses and disclosures of PHI.
    2. UCCS designated healthcare components will apply the Minimum Necessary Standard for access and disclosures of PHI.
    3. UCCS designated healthcare components will process requests for information from individual’s records in a timely, consistent manner as set forth in this policy.
    4. This policy applies equally to all records, including electronic records. No employee shall release any type of records without complying with this policy.

    Procedures

    1. Permitted or Required Uses or Disclosures.
      1. PHI shall not be used or disclosed except in the following circumstances:
        1. The individual who is the subject of the PHI requests the individual’s own information;
        2. For treatment, payment, or Health Care Operations;
        3. For the treatment activities of a health care provider (other than the UCCS designated healthcare components);
        4. To another HIPAA covered entity or health care provider (other than the UCCS designated healthcare components) for the payment activities of the covered entity or other health care provider;
        5. To another covered entity or health care provider for its health care operations so long as the covered entity or other health care provider each have or had a relationship with the individual whose PHI is being used or disclosed to the covered entity or other health care provider and the information pertains to that relationship;
        6. Incidental disclosures that are incident to a use or disclosure otherwise permitted or required by this policy and provided that the UCCS workforce member or student has applied appropriate safeguards, used the Minimum Necessary Standard, and adequately demonstrated that there was no other option;
        7. Pursuant to a valid authorization form (Authorization to Release and/or Obtain Patient Information form) and in accordance University and UCCS policies that relate to authorization; and
        8. As permitted by other applicable policies, including de-identified information, limited data sets, and other categories covered under this policy.
      2. UCCS designated healthcare components will disclose PHI to individuals in accordance with Attachment 7 Patient Rights Policy.
      3. Prohibition of Redisclosure. Unless a law or regulation requires a more specific prohibition on redisclosure (usually for AIDS/HIV, alcohol and drug abuse, and other particularly sensitive medical information), each disclosure outside the UCCS designated healthcare component shall contain the following notice:
        1. The attached medical information pertaining to [Name of client/patient] is confidential and legally privileged. Clinic Name, a UCCS Designated Healthcare Component, has provided it to [Name of recipient] as authorized by the patient. The recipient may not further disclose the information without the express consent of the patient or as authorized by law.
      4. Courtesy Notifications to Provider. As a courtesy, UCCS designated healthcare component records processing personnel shall notify the appropriate UCCS designated healthcare component healthcare provider when any of the following occur:
        1. Individual or representative requests information from the medical record.
        2. Individual or representative requests direct access to the complete medical record.
        3. Individual or representative institutes legal action.
    2. Disclosure Monitoring and Logging.
      1. Each UCCS designated healthcare component shall maintain a log to track the step-by-step process towards completion of each request for the release of PHI (for example, Disclosure Accounting Log). Each director/designate of the UCCS designated healthcare components will review and update this log daily to give proper priority to requests and to provide early intervention in problem situations. The log shall contain the following information:
        1. Date department received the request.
        2. Name of patient.
        3. Name and status (patient, parent, guardian) of person making request.
        4. Information released.
        5. Date released.
        6. Fee charged.
      2. Disclosure Quality Control. Each UCCS designated healthcare component and/or the UCCS privacy officer shall conduct a routine audit of the release of information at least annually, paying particular attention to the following:
        1. Validity of authorizations.
        2. Appropriateness of information abstracted in response to the request.
        3. Retention of authorization, request, and transmitting cover letter.
        4. Procedures for telephone, electronic, and in-person requests.
        5. Compliance with designated priorities and timeframes.
        6. Proper processing of fees.
      3. Documentation of the Release. Unless the request specifies release of the complete medical record, the UCCS designated healthcare component shall release only selected portions of the record.
      4. Retention of Disclosure Requests. The UCCS designated healthcare component will retain the original request, the authorization for release of information, and a copy of the cover letter in the individual’s medical record for the appropriate record retention period pursuant to Attachment 2 Documentation Policy (Retention).
    3. Timeline and Fee Schedule.
      1. Each UCCS designated healthcare component will process requests for information from individual’s medical records within thirty (30) calendar days and in a consistent manner as set forth in this policy.
      2. Each UCCS designated healthcare component will charge a reasonable fee to offset the costs associated with specific categories of requests. Fees shall be based on an assessment of such factors as the costs of equipment and supplies, employee costs, and administrative overhead and shall include postage (including express mail or courier costs) when incurred at the request of the authorizing party. For requests for records in electronic format, HIPAA permits fees to include only direct labor costs when responding to such requests. Individual states have also established maximum fees for copies of patient records.
    4. Use of Copying Services. To facilitate the timely processing of release of information requests, UCCS designated healthcare components may use the services of a commercial copying service on terms that protect the integrity and confidentiality of patient information.
    5. Marking and Fundraising.
      1. Marketing. PHI may not be used or disclosed for marketing purposes without a valid authorization, HIPAA Authorization for Release of Health Information – Media form, except in the following circumstances:
        1. If the communication is a face-to-face communication between an employee of a UCCS designated healthcare component and the individual; or
        2. If the communication involves only a promotional gift of nominal value provided by the UCCS designated healthcare component.
        3. If the marketing involves direct or indirect remuneration to the UCCS designated healthcare component from a third party, the authorization must state that remuneration is involved. The UCCS designated healthcare component cannot sell PHI to any other person or entity.
      2. Fundraising. All fundraising communications must contain a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for opting out must not cause the individual to incur an undue burden or more than a nominal cost. Fundraising communications may not be made to an individual who has elected not to receive such communications.
        1. UCCS designated healthcare components may use the following PHI without a patient’s authorization for fundraising purposes:
          1. Patient demographic data (name, address, phone/email, date of birth, age, gender, etc.);
          2. Health insurance status;
          3. Dates of patient services;
          4. General type of department in which a patient is serviced;
          5. Treating physician information; and
          6. Outcome information.
        2. PHI requiring written patient authorization prior to fundraising use includes:
          1. Diagnosis;
          2. Nature of services; and
          3. Treatment.
    6. De-Identification of Data. There are two methods of de-identification: 1) use of statistical methods proven to render information not individually identifiable, and 2) deletion of 18 specified identifiers. Once PHI has been de-identified, it is no longer PHI, and the restrictions and requirements of federal and state privacy laws no longer apply. However, if a re- identification code is added to the data, certain privacy and security rules apply to the code. Specific questions regarding this should be addressed to the UCCS privacy officer and/or the UCCS security officer.
    7. Training Requirements. Each UCCS designated healthcare component shall give periodic in- service training to all employees involved in the release of information.
    8. Authorization.
      1. All disclosures must have a written, signed, current, valid authorization to release medical information as follows:
        Patient Category Required Signature
        Adult Patient The patient or a duly authorized representative, such as court-appointed guardian or attorney. Proof of authorized representation required (such as notarized power of attorney).
        Deceased Patient Next of kin as stated on admission face sheet (state relationship on authorization) or executor/ administrator of estate.
        Unemancipated Minor Parent, next of kin, or legally appointed guardian or attorney (proof of relationship required).
        Emancipated Minor Same as adult patients above.
        Psychiatric, drug, alcohol program patients/clients Same as adult patients above, but check for special requirements
        AIDS/HIV or other sexually transmitted disease patients Same as adult patients above, but check for special requirements
      2. Forms. Each UCCS designated healthcare component shall use the Authorization to Release and/or Obtain Patient Information form whenever possible. Each UCCS designated healthcare component shall, however, honor letters and other forms, provided the letter or form includes all the required information. Specific questions regarding whether a third party’s letter or form is sufficient can be directed to the UCCS privacy officer and/or legal counsel.
      3. Revocation. An individual may revoke an authorization by submitting the Revocation of Authorization form to the appropriate UCCS designated healthcare component. The revocation shall become effective when the UCCS designated healthcare component receives it but shall not apply to disclosures already made.
      4. Refusal to Honor Authorization. UCCS designated healthcare components and/or the UCCS privacy officer and/or others authorized to release information will not honor an individual’s authorization when there is reasonable doubt or question as to the following information:
        1. Identity of the person presenting the authorization. For process of verification, each UCCS designated healthcare component shall use the table below.
        2. Status of the individual as the duly appointed representative of a minor, deceased, or incompetent person.
        3. Legal age of or status as an emancipated minor.
        4. Patient capacity to understand the meaning of the authorization.
        5. Authenticity of the patient’s signature.
        6. Current validity of the authorization.
        7. In such situations, the UCCS designated healthcare component shall refer the matter to the UCCS privacy officer for review and decision.

    Person and Identity Verification Table

    Person to Identify In-Person Encounter Telephone Encounter Request in Writing (Fax, mail, hand-delivered)
    Attorney
    • Presents with business card and photo identification (i.e. driver’s license or organization ID badge)
    • It would be difficult to verify identity and authority by phone. Verification in person or in writing may be required
    • Supplies business card, photo identification (i.e. driver’s license or org ID badge), letterhead. Confirmation call is required.
    Patient
    • Patient provides name, address, and date of birth and/or social security number; or
    • Acquainted with patient
    • Patient provides name, address, and date of birth and/or social security number; or
    • Acquainted with patient
    • Patient provides name, address, and date of birth and/or social security number. Verify patient’s signature with that on file or on driver’s license.
    Personal Representative (Legal Guardian) for the Patient
    • Personal Rep provides patient’s name, address, and date of birth and/or social security number, and verifies (via legal docs) relationship to patient; or,
    • Acquainted with personal Rep
    • Personal Rep provides patient’s name, address, and date of birth and/or social security number, and verifies (via legal docs) relationship to patient; or,
    • Acquainted with Personal Rep as such.
    • Personal Rep provides patient’s name, address, and date of birth and/or social security number. Verify the Personal Rep’s signature with signature on file or on driver’s license.
    Persons Involved in the Patient’s Immediate Care (PHI relevant only to the patient’s current care (164.510(b)).
    • Blood Relative
    • Spouse
    • Domestic Partner
    • Roommate
    • Boy/Girl Friend
    • Neighbor
    • Colleague
    • Patient actively involves this person in his/her care; or
    • In your best professional judgment, the disclosure is in the patient’s best interest.
    • Patient actively involves this person in his/her care; or
    • In your best professional judgment, the disclosure is in the patient’s best interest.
    • Use call-back.
    • N/A
    Power of Attorney (POA) for the Patient
    • Presents with a photo ID and a copy of the POA. Verify patient’s signature with one on file.
    • Acquainted with power of attorney
    • Previously obtained a copy of the POA and verified the patient’s signature with one on file.
    • Acquainted with power of attorney as being such
    • Obtain a copy of the POA and verify the patient’s signature with one on file
    Provider from Another Facility
    • Acquainted with provider as a treatment provider;
    • Provider is wearing a photo badge from his/her facility; or,
    • Patient/personal representative introduces provider to you.
    • Acquainted with provider as a treatment provider; or;
    • Call requestor back through main switchboard number (not via a direct number).
    • Recognize name of facility and address on letterhead as a treatment facility; or
    • Call requestor back through main switchboard number (not via a direct number).
    Public Official
    • CIA
    • Court Order
    • FBI
    • Law Enforcement Officer
    • OCR
    • OIG
    • Public Health Agency Official
    • Other
    • Presents an agency I.D. badge;
    • Presents with a written statement of legal authority;
    • Presents with a written statement of appointment on appropriate government letterhead;
    • Presents with warrant, court order, or legal process issued by a grand jury, or a judicial or admin. tribunal;
    • Presents with a contract for services or purchase order; or,
    • Official states release is necessary to prevent or lessen the threat to the health/safety of a person/public.
    • Official states release is necessary to prevent or lessen the threat to the health/safety of a person/public.
    • Written statement of legal authority;
    • Written statement of appointment on appropriate government;
    • Warrant, court order, or other legal process issued by a grand jury or a judicial or administrative tribunal; or
    • Contract for services or purchase order
    Vendor Who Assists with Treatment, Payment, or Health Care Operations

    Examples Include, But Are Not Limited to the Following:

    • Accreditation Org.
    • DME Company
    • Insurance Co.
    • Pharmacy Vendor We Have Rebate Agreement with
    • Software Vendor
    • Statement Vendor
    • Recognize requestor/ organization; or
    • Photo identification with organization
    • Recognize requestor or organization
    • Recognize requestor/ organization; or
    • Call requestor back through main switchboard number (not via a direct number).
    Workforce Member of Our Organization
    • Acquainted with individual as a workforce member; or,
    • Workforce member is wearing an I.D. badge.
    • Acquainted with individual as a workforce member; or,
    • Workforce member is calling from an in-house extension.
    • Request is sent from/through our own computer system; or
    • Request is on our own letterhead.
    Non-Workforce Member of Our Organization
    • No access granted unless approved by legal and compliance
    • No access granted unless approved by legal and compliance
    • No access granted unless approved by legal and compliance

    PHI Disclosures Table

    Disclosures should follow Attachment 7 Patient Rights Policy, what is included in a designated record set.

    Requestor Authorization Required? Copy Fee Charged? Track on Disclosure Accounting?
    Accrediting Agencies (JCAHO, CARF) No No No
    Attorney for Facility/Corporation No No No
    Contractors/Business Associates No, unless their purpose falls outside of TPO. No No
    For Deceased Persons
    • Coroner or Medical Examiner, Funeral Directors
    • Organ Procurement
    No No Yes
    Employer
    • PHI specific to work related illness or injury, and
    • Required for employer’s compliance with occupational safety and health laws
    No, for the purpose listed.

    Yes, for all others.
    No No
    Family Members No for oral disclosures to family members involved in care so long as patient consents (orally or in writing); Yes, for others.. Yes No
    Entity Subject to the Food and Drug Administration
    • Adverse events, product defects or biological product deviations
    • Track products
    • Enable product recalls, repairs, or replacements
    • Conduct post marketing surveillance
    No No Yes
    Health Oversight
    • Government benefits program
    • Fraud and abuse compliance
    • Civil rights laws
    • Trauma/tumor registries
    • Vital statistics
    • Reporting of abuse or neglect
    No No Yes
    Health Care Practitioners and Providers for Continuity of Treatment and Payment No No No
    Health Care Practitioners and Providers if not Involved in Care or Treatment (i.e., consultants) No No No
    Insurance Companies/Third Party Payors
    • Related to Claims Processing
    No No No
    Judicial and Administrative Proceedings
    • Court order, or warrant
    • Subpoena
    No

    No - See Subpoena Policy
    No

    Yes
    Yes

    Yes
    Law Enforcement
    • Administrative request
    • Locating a suspect, fugitive, material witness or missing person
    • Victims of crime
    • Crimes on premises
    • Suspicious deaths
    • Avert a serious threat to health or safety
    No No Yes, except for disclosures to correctional institutions.
    Public Health Authorities
    • Surveillance
    • Investigations
    • Interventions
    • Foreign governments collaborating with US public health authorities
    • Recording births/deaths
    • Child/elder abuse
    • Prevent serious harm
    • Communicable disease
    No No Yes
    Research (w/o Authorization) (See Attachment 9 Uses and Disclosures for Research Purpose) No, if IRB or Privacy Board approves research study and waives authorization. No Yes
    Specialized Government Functions
    • Military and Veterans' activities
    • Protective services for the President
    • Foreign military personnel
    • National security and intelligence activities
    No No Yes, except for disclosures for national security and intelligence activities.
    Workers' Compensation
    • Comply w/existing laws (see state law)
    No See applicable State Law Yes

    Related Policies

    Code of Conduct
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    IT Security Program
    Social Media Policy
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.502 to 164.514
    6 Colo. Code Regs. § 1011-1:IV-8.102
    C.R.S. § 25-1-801
    6 Colo. Code Regs. § 1011-1:II-5.2
    Colo. Code Regs. §§ 502-1:21.170.2; 502-1:21.170.3

    Use and Disclosure for Research Purposes

    Attachment 9

    Scope of Policy

    This policy governs the privacy circumstances under which protected health information (PHI) may be disclosed for research purposes for UCCS and its designated healthcare components. All workforce members of UCCS designated healthcare components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated healthcare components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated healthcare components to permit use and disclosure of the PHI it maintains for research only as provided in this policy, regardless of the source of funding of the research. Specifically, UCCS designated healthcare components will only permit research use and disclosure of the PHI as follows:
      1. When the individual who is the subject of the PHI provides prior authorization (Authorization to Use or Disclose Identifiable Health Information for Research form); or
      2. Without the individual’s prior authorization if:
        1. Documentation (Activities Preparatory to Research Request for Waiver form) submitted to the Privacy Board for approval is obtained from the researcher that the use or disclosure of the PHI is solely for preparation for research, e.g., to prepare a research protocol or check subject eligibility;
        2. The researcher submits adequate documentation (Required Representations for Research on Decedents Information form) to the Privacy Board for approval that the use or disclosure of the PHI is solely for research on decedents;
        3. The Privacy Board has approved a waiver or alteration of the authorization requirement (Request for Waiver of Elements of Authorization or an Altered Authorization form);
        4. The PHI is de-identified in compliance with HIPAA's limited data set or de-identification requirements;
        5. Research qualifies for the transition provisions because it was obtained prior to the date of 4.15.03. (45 CFR 164. 532 (a) and (c)).

    Procedures

    1. Accounting for Disclosures. Participating in research does not change the subject’s rights to the accounting of disclosure. Each UCCS designated healthcare component must develop a policy and/or procedure related to how the designated healthcare component will provide an accounting as per Attachment 7 Patient Rights Policy.
    2. Privacy Board Procedures and Forms. Privacy Board Standard Operating Procedures (SOP) and forms are located on the Compliance website under the Privacy Board category https://www.uccs.edu/compliance/news/privacy-board. The Privacy Board SOP covers procedures related to Section B above.
    3. Use and Disclosures of PHI for Research with Authorization
      1. Notice of Privacy. It is required that all individuals entering a research protocol be given the UCCS Notice of Privacy Practices. The Notice of Privacy Practices is often given to a research subject upon registration. If a research subject does not enter the research setting through clinic registration, then the research team is responsible for providing the notice to subjects. A copy of the signature page acknowledging receipt of the notice should be kept in the subject’s research file.
      2. Obtain Authorization. The members of the research team must determine that it is necessary (or mandated, in the case of clinical research trials) to obtain the individual’s authorization. They will ensure that the Authorization to Use or Disclose Identifiable Health Information for Research form discloses how the individual’s PHI will be used or disclosed and contains the following:
        1. Description of the PHI to be used or disclosed, and must describe identifying information in a specific and meaningful manner;
        2. Names and specific identification of persons (all classes of persons) authorized to request, use or disclose the information required;
        3. Names and specific identification of persons (all classes of persons) or institutions receiving the PHI disclosure (example: data coordinating centers, sponsors, IRB’s, Data Safety Monitoring Boards);
        4. A description of each purpose for use or disclosure;
        5. Expiration date or event that relates to the purpose of the disclosure (example: “end of research” or “no expiration”);
        6. A statement that the subject has the right to revoke the Authorization, a description of the revocation process, and a list of all exceptions;
        7. Whether treatment, payment, enrollment, or eligibility can be conditioned on the authorization (including research-related treatment) and consequences of refusing to sign the authorization (Example: “research may not be allowed to continue if authorization is withheld” refer to Section 3.E . - Refusal to Sign Authorization or Revoking Authorization);
        8. A statement of the potential risk that the PHI will be re-disclosed by the researcher or any other recipient. This may be a general statement that the HIPAA Privacy Rule may no longer protect health information disclosed to the recipient;
        9. Statement that the authorization is for a specific research protocol and that authorizations for future unspecified research are not permitted; and
        10. Subject signature and date.
      3. Legal Representative. If the authorization is to be signed by someone other than the research subject, the members of the research team will ensure that the person signing has appropriate authority as the individual’s personal representative as set forth in Attachment 8 PHI Uses & Disclosures Policy.
      4. Access to Research Records in Blinded Clinical Trials. Patients have the right to access, inspect, and obtain copies of their research records. However, the access provisions do not require that individuals be provided with access to their PHI the entire time they are participating in a clinical trial, so long as the Authorization adequately informs them of their rights. For blind clinical trials, the authorization form must state that individuals will not be provided access to their PHI while the clinical trial is open. By limiting the individual’s access to their PHI through the duration of the clinical trial, the “blinding” aspects of the research and the design of the research protocol are preserved. This limited access does not affect research subjects’ legal rights and should be necessary only during the treatment phase of the research/clinical trial.
      5. Refusal to Sign Authorization or Revoking Authorization. In the event an individual refuses to sign an authorization or revokes a current authorization, the members of the research team may consult with the Institutional Review Board (IRB) chair (or designee) and/or Privacy Board chair to determine if the individual should be denied enrollment in the trial. The members of the research team shall be responsible for documenting any decision to deny participation in the trial and providing the individual with a written statement of such a decision. A copy of the written letter must be placed in the research file.
      6. Amendment of Authorization. If the individual’s authorization is obtained, the individual’s PHI can be used and disclosed in the manner that is consistent with the terms of the authorization. If any person wishes to use or disclose the PHI for a purpose that is not set forth in the original authorization, the members of the research team are responsible for ensuring that a second authorization is obtained prior to such use or disclosure.
    4. Coded Information. Researchers using a limited data set may utilize unique codes or identifiers. The code may not replicate a part of a listed direct identifier. For example, the code or limited data set cannot include the last four digits of a social security number or ID number. Use of statistical methods to render a code is permitted so long as the code is not individually identifiable, and risk of re-identification is very small.
    5. Specimen Repositories. Identifiable specimens should be coded or de-identified to provide adequate protection. All protections and procedures listed in this Policy apply to the use of identifiable research specimens.
    6. Electronic and Internet Research. All users of research data utilizing remote access are responsible for ensuring that their use of computers (internal and external), networks, and the Internet will not compromise the security of the PHI or technology resources. No PHI may be removed from a UCCS designated health care component without permission. Access to the PHI through a remote access connection is not itself a removal of the PHI, but the printing, copying, saving or faxing of the PHI is considered a removal. Research that involves web access must have proper data security measures in place. Questions about specific security measures may be directed to the UCCS security officer.
    7. Disclosures Required by Law: UCCS designated health care components may be required by law to use or disclose PHI in the following circumstances:
      1. To cancer registries;
      2. Disclosure to the federal government of data first produced under a federal award;
      3. Activities for purposes of preventing or controlling disease, injury or disability (for example, reporting to the National Institute of Health, Food and Drug Administration or Centers for Disease Control, Department of Health and Human Services or Morbidity and Mortality Weekly Report);
      4. Reporting to Office of Sponsored Programs and Research Integrity for compliance of research activity.

    Related Policies

    Code of Conduct
    Office of Sponsored Programs Website
    Privacy Board Standard Operating Procedures
    Reporting and filing a complaint (see Compliance and Ethics Website)
    Research Misconduct

     

    Reference

    45 CFR § 164.508
    45 CFR § 164.512 (i)
    45 CFR § 164.514 (e)

     

    Privacy Complaints Policy

    Attachment 10

    Scope of Policy

    This policy governs the privacy complaints process for UCCS and its designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to respond in a timely and positive manner to all complaints submitted by any persons or parties, including patients, workforce members, and any other person or party.
    2. UCCS and its designated health care components must comply with HIPAA and the HIPAA implementing regulations pertaining to privacy complaints in accordance with the requirements at § 164.530(a) and § 164.530(d), as amended by the HITECH Act of 2009 (ARRA Title XIII), and the HIPAA Omnibus Final Rule (Effective Date: March 26, 2013).
    3. HIPAA regulations, at § 164.530(g), prohibit intimidating or retaliatory acts against any person or patient who files a privacy complaint or exercises any Right guaranteed under HIPAA.
    4. Responsibility for the acceptance of, management of, and responses to privacy complaints shall reside with the UCCS privacy officer, who shall establish a process and appropriate forms to receive and process complaints.

    Procedures

    1. Complaints can be submitted anonymously through a third party vendor, EthicsPoint, at https://secure.ethicspoint.com/domain/media/en/gui/14973/index.html.
    2. Complaints can be submitted in written form (Privacy Complaint Form), dated and signed by the complainant. The University will treat complaints received through other means, like email, telephone, or in-person conversation, in a similar manner.
    3. The UCCS privacy officer, in conjunction with the UCCS designated health care component’s director/designate, shall investigate and respond to all written complaints with a written response within 30 days of the time each complaint is received. If more time is required to investigate and resolve a specific complaint, the complainant shall be notified in writing, within 30 days of the time each complaint is received, that additional time is required to investigate and resolve the complaint. In no case shall more than 60 days elapse between the time a complaint is received and the resolution of the complaint.
    4. The UCCS privacy officer shall investigate each and every complaint in a fair, impartial, and unbiased manner. All parties named in the complaint, or who participated in events leading to the complaint, shall be interviewed in a non-threatening and non-coercive manner.
    5. The final resolution or disposition of each written complaint shall be documented, and a summary of the findings shall be provided to the complainant within 30 days of the time each complaint is submitted in writing, unless the additional 30 days of response time is invoked, as above. The final resolution or disposition shall be retained in accordance with Attachment 2 Documentation Policy (Retention).
    6. In addition to providing complainants with a written response to their complaint, complaints that are found to have merit will be resolved with some remediation that is appropriate to the severity of the situation. Such remediations may include, but are not limited to:
      1. A written apology to the complainant from our organization.
      2. Credit-monitoring service for the complainant for a period of one or two years, paid for by our organization, when the complaint involves a breach of unsecured individually identifiable health information that has been compromised or put at risk by our actions.
      3. Financial compensation, if determined to be appropriate by legal counsel and senior management.
      4. Sanctions against workforce members, as appropriate to the circumstances.
      5. Other unspecified remediation(s), as determined by legal counsel and senior management.
    7. For complaints submitted to the federal government, it is the Policy of UCCS and its designated health care components to cooperate fully and openly with federal authorities as they conduct their investigation, as specified in Attachment 4 HHS Investigations Policy.
    8. No officer, agent, employee, contractor, temporary worker, student, or volunteer of UCCS and its designated health care components shall obstruct or impede any investigation in any way, whether internal or federal.

    Related Policies

    Code of Conduct
    Reporting and filing a complaint (see Compliance and Ethics Website)

     

    Reference

    45 CFR § 164.530(a)
    45 CFR § 164.530(d)

     

    Risk Management and Risk Analysis Policy

    Attachment 11

    Scope of Policy

    This policy governs risk analysis for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the responsibility of anyone at UCCS who uses, discloses or maintains protected health information (PHI) to practice security management. This includes faculty, staff, students, trainees, volunteers, etc. The UCCS security officer is responsible for overall periodic campus risk analyses, compliance program evaluations, and maintenance.
    2. It is the Policy of UCCS and its designated health care components to establish, implement, and maintain an appropriate risk management process.
    3. Business and information-technology “best practices”, along with the research and recommendations of the National Institute for Standards and Technology (NIST), shall be included in the development and execution of the risk management process
    4. Such a risk management process shall be under the direct control and supervision of the designated UCCS privacy officer and UCCS security officer, and shall involve legal counsel, the UCCS Office of Information Technology (OIT), UCCS designated health care component leadership, and any other parties or persons deemed to be appropriate.
    5. This process shall strive to identify, analyze, prioritize, and minimize identified risks to information privacy, security, integrity, and availability. The nature and severity of various risk and risk elements shall be identified and quantified, with the goal of reducing risk as much as is practicable. The risk management process shall be ongoing, and shall be updated, analyzed, and improved on a continuous basis.
    6. Risk management results shall be used for management’s decision-making processes, in order to help reduce our overall risk and to comply with HIPAA and other applicable laws and regulations.

    Procedures

    1. Security Management Process. All members of the UCCS workforce who create, receive, maintain or transmit PHI must implement policies and procedures to prevent, detect, contain, and correct security violations.
    2. Risk Analysis
      1. It is the responsibility of each UCCS designated health care component’s leadership in conjunction with the UCCS privacy officer and the UCCS security officer to conduct risk assessments to understand and document risks from security failures that may cause loss of confidentiality, integrity, or availability. Risk assessments should take into account the potential adverse impact on the University’s reputation, operations, and assets. The risk assessment will be completed and documented using the HIPAA Walkthrough Checklist and the HIPAA Security Workbook ("Workbook").
      2. It is the responsibility of the UCCS privacy officer and the UCCS security officer to conduct HIPAA walkthroughs of each UCCS designated health care component at least every two years.
      3. It is the responsibility of the UCCS security officer and the director/designate of each UCCS designated health care component to complete the Workbook pursuant to this procedure. The completed Workbook will be approved by the UCCS security officer and treated as documentation of HIPAA procedures. The completed Workbook should be used by each UCCS designated health care component for policy implementation, enforcement, and training. A copy of completed Workbooks must be kept on file and easily accessible to the workforce by each UCCS designated health care component and the UCCS privacy officer and the UCCS security officer.
        1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to identify relevant information systems and electronic information resources that require protection.
        2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to review and update risk assessments annually, or more frequently in response to significant legislative, environmental, or operational changes.
        3. It is the responsibility of the director/designate of each UCCS designated health care component to inform the UCCS privacy officer and UCCS security officer of the completion of all documented risk assessments within thirty (30) calendar days of their completion and provide a copy upon request.
    3. Risk Management
      1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS privacy officer and the UCCS security officer to select appropriate controls, e.g. policies, procedures, technologies, to safeguard data relative to the sensitivity or criticality determined by the risk assessment and to document the individual(s) responsible for implementation of each recommended practice.
      2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to, where possible, incorporate these standards and practices when evaluating and selecting new hardware and software.

    Related Policies

    Code of Conduct
    Data Governance
    Electronic Communications
    E-mail as Official Means of Communication
    IT Security Program
    Social Media Policy
    Reporting and filing a complaint (see Compliance and Ethics Website)

     

    Reference

    164.302 to 164.318
    164.308(a)(1)
    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) National Institute for Standards and Technology (“NIST”)

     

    Sanction Policy

    Attachment 12

    Scope of Policy

    This policy governs workforce sanctions and disciplinary actions for UCCS and its designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish and implement appropriate, fair and consistent sanctions for workforce members who fail to follow established policies and procedures, or who commit various offenses.
    2. Sanctions will be imposed pursuant to applicable HIPAA policies.
    3. Offenses involving obvious illegal activity related to patient privacy may result in notifications to appropriate law enforcement authorities.
    4. It is the Policy of UCCS and its designated health care components to fully document all workforce sanctions and their dispositions, according to our Documentation Policy and HIPAA requirements.

    Procedures

    1. The UCCS privacy officer and UCCS security officer will investigate all alleged violations of UCCS HIPAA policies, and will document the allegations and their eventual resolution, including any disciplinary actions taken. The UCCS privacy officer will maintain all official documentation related to privacy violations. The UCCS security officer will maintain all official documentation related to security violations.
    2. All affected departments and/or individuals shall cooperate fully with the investigation. The UCCS privacy officer and the UCCS security officer shall keep UCCS administration apprised of ongoing investigations as appropriate. Given the nature of some of these investigations, there are times when the scope of the problem must be determined before notification is possible.
    3. The determination of what, if any, disciplinary action will be taken will be made in accordance the applicable disciplinary procedures. The UCCS privacy officer and/or the UCCS security officer will assist the disciplinary authority in determining an appropriate disciplinary action that is based on the relative severity of the violation.

    Related Policies

    Code of Conduct
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.308(a)(1)

     

    Information System Activity Review/ Authorization and Supervision Policy/Log-in Monitoring Policy

    Attachment 13

    Scope of Policy

    This policy governs information systems activity reviews for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to only permit workforce members who have been appropriately authorized to have access to individually identifiable health information.
    2. It is the Policy of UCCS and its designated health care components to properly supervise workforce members who have access to individually identifiable health information.
    3. Proper authorization to access individually identifiable health information, and appropriate supervision of workforce members authorized to access individually identifiable health information can help reduce our overall risk and reduce the likelihood of data breaches and HIPAA violations.
    4. Workforce members shall have access only to the individually identifiable health information that they need in order to perform their work-related duties.
    5. It is the Policy of UCCS and its designated health care components to document the authorization and supervision of all workforce members who have access to individually identifiable health information.
    6. Regular monitoring of log-ins and log-in attempts is a proven approach to controlling access to sensitive information systems and data, and to detecting inappropriate information systems activity.
    7. Discrepancies and potentially inappropriate or illegal activities shall immediately be brought to the attention of the UCCS privacy officer, the director/designate of the UCCS designated health care component, legal counsel, and/or Human Resources, as appropriate.
    8. UCCS shall assess potential risks and vulnerabilities by both reviewing information system activity, as well as developing, implementing, and maintaining appropriate administrative, physical, and technical security measures in order to detect and minimize security violations involving protected health information (PHI). These protective measures give UCCS the ability to identify unauthorized data access activities, assess security safeguards, and respond to potential weaknesses.
    9. It is the Policy of UCCS and its designated health care components to regularly review various indicators and records of information system activity, including, but not limited to: audit logs, access reports, and security incident reports.
    10. The goal of this policy is to prevent, detect, contain, and correct security violations and threats to individually identifiable health information, whether in electronic or any other forms.
    11. It is the policy of UCCS and its designated health care components to document all information system activity review activities and efforts.

    Procedures

    1. General.
      1. Each UCCS designated health care component director/designate shall determine which individuals are authorized to work with PHI in accordance with a role-based approach.
      2. It is the responsibility of the director/designate of each UCCS designated health care component to authorize and supervise workforce members’ access to individually identifiable health information.
      3. Any violations discovered during review will be reported to the UCCS privacy officer or UCCS security officer as outlined on the UCCS Office of Information Technology (OIT) website under "Incident Response" https://www.uccs.edu/it/security/incident-response.html.
      4. UCCS OIT maintains an internal security control program. Procedures, policies, and record- keeping activities have been established to ensure proper legal and ethical business practices. This program complements the user authentication process and may act as a deterrent to internal abuse by making users aware that audit trails, file access reports, and security incident tracking reports are produced, reviewed and investigated. Violations are subject to applicable sanctions. The internal security control program may take various forms including regular information system activity review. These reviews incorporate login monitoring, automated reports of audit trails or logs, file access reports, and manually produced security incident tracking reports.
    2. Audit Controls. UCCS OIT will monitor audit records from firewall and other network protection layer logs, domain logs including login and data access activity, and event logs from host operating systems.
      1. Audit Control and Review Plan. An audit control and review plan must be developed by each UCCS designated health care component’s director/designate that hosts PHI and must be approved by the UCCS security officer. If the UCCS designated health care component’s PHI inventory changes, causing its audit control and review plan to change, the plan must be re- evaluated and re-submitted to the UCCS security officer. The plan must include:
        1. Systems and applications to be logged;
        2. Information to be logged for each system;
        3. Login reports for each system; and,
        4. Procedures to review all audit logs and activity reports, including identifying each workforce member responsible for performing the audit, the frequency the audit is to be performed, and escalation procedures if suspicious activity is detected.
      2. Audit Trail. The audit trail provides a means to monitor user activity and detect suspicious activity and/or breaches. It also provides the ability to reconstruct events where data integrity may be questioned and functions as a deterrent to misuse by workforce members. The audit trail process includes the implementation of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI.
      3. Audit Trail Mechanisms.
        1. The mechanisms used to capture audit trail information may include use of automated tools designed to report suspicious activity or use of automated warning messages that appear prior to access of sensitive information. System hardware, software, and applications must have the capability of creating log files. These logs must include, but are not limited to:
          1. user ID;
          2. login date/time; and,
          3. activity time.
        2. Audit logs may include system and application log-in reports, activity reports, exception reports or other mechanisms to document and manage system and application activity. Audit control mechanisms for systems containing low risk PHI (determined during the regular risk assessment) are not required.
      4. Workforce Accountability. The director/designate of each UCCS designated health care component must educate their workforce members on the UCCS designated health care component’s specific audit procedures and requirements as necessary. This includes incorporating the concept of audit trail and individual user accountability.
    3. Information System Activity Review. Each UCCS designated health care component that hosts PHI must regularly review records of information system activity, such as audit logs, file access reports, and security incident reports. Routine review of information systems activity provides an automatic trail of user actions whenever PHI is accessed or modified. This review promotes individual user accountability and gives UCCS the ability to reconstruct significant events or examine suspicious activities as necessary.
      1. Conducting the Review.
        1. Each UCCS designated health care component must designate an individual responsible for conducting the review of information systems activity and determine the frequency with which the review will be conducted, based on the UCCS designated health care component’s audit control and review plan.
        2. To support an effective review, the following information should be examined: audit trails or logs; file access reports; and security incident tracking reports. If suspicious activity is detected, the reviewer should collect: type of event; date and time of occurrence; user ID; and, program used.
      2. Whoever discovers misuse or suspicious activity must contact the director/designate of the UCCS designated health care component and the UCCS security officer.
    4. Log-in Monitoring. As part of the audit control and review plan, each UCCS designated health care component must monitor login success and failure to systems that host PHI. To ensure that unauthorized login attempts are discovered, whoever discovers discrepancies or unusual login patterns must report such activity to the director/designate of the UCCS designated health care component and the UCCS security officer.
      1. Monitoring of audit trails should be performed with the help of an automated alerting tool or periodic manual review of the logs.
      2. The director/designate of the UCCS designated health care component must educate the workforce members on the specific procedures and reporting requirements for log-in monitoring.
    5. Retention.
      1. Audit trails, file access reports, and automated security incident reports in exact and retrievable copy form must be retained in a secure manner, taking into consideration system capability, space issues, and modality. The method of retention and length of time these reports are to be retained is to be determined by the director/designate of the UCCS designated health care component and included in the audit control and review plan.
      2. All UCCS designated health care components’ HIPAA procedures, documentation of decisions made, information system activity reviews, and investigations conducted pursuant to this policy must be retained for a period of no less than six (6) years from the date the policy was last in effect or from the date the decision or investigation was made.

    Related Policies

    Code of Conduct
    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)
    UCCS Policy 700-005 Computer Security Incident Response

     

    Reference

    45 CFR § 164.302 to 164.318
    45 CFR § 164.308
    45 CFR § 164.308(a)(3)
    The Health Information Technology for Economic and Clinical Health Act (HITECH Act)
    National Institute for Standards and Technology (NIST)

     

    Workforce Clearance and Access/Termination Policy

    Attachment 14

    Scope of Policy

    This policy governs workforce clearance and screening (pre-employment and post-employment) for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to provide the appropriate level of access to individually identifiable health information to all members of the workforce.
    2. It is the Policy of UCCS and its designated health care components to acknowledge a duty and responsibility to support and facilitate the timely and unimpeded flow of health information for lawful and appropriate purposes.
    3. The level of access to individually identifiable health information for workforce members shall be based upon the nature of each workforce member’s job and its associated duties and responsibilities. Workforce members shall have access to all of the individually identifiable health information that they need to do their jobs, but no more access than that.
    4. No workforce member shall have access to a higher level of individually identifiable health information than the level for which they have been cleared.
    5. Workforce clearance shall specifically incorporate required background screening in accordance with the UCCS Campus Policy 300-022 Employment Background Checks.
    6. It is the Policy of UCCS and its designated health care components to fully document all workforce clearance-related activities and efforts.

    Procedures

    1. General.
      1. It is the responsibility of the director/designate of each UCCS designated health care component to identify a member of the workforce who is responsible for the development and implementation of the policies and procedures required by this procedure.
      2. It is the responsibility of the director/designate of each UCCS designated health care component, as well as the UCCS security officer and the UCCS Office of Information Technology (OIT) to implement policies and procedures to ensure that all workforce members have appropriate access to electronic protected health information (ePHI), as provided below, and to prevent those workforce members who do not have access from obtaining access to ePHI.
      3. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.
      4. It is the responsibility of the director/designate of each UCCS designated health care component to determine which individuals are authorized to work with ePHI in accordance with a role-based approach.
    2. Workforce Clearance Procedure.
      1. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to implement procedures to determine that the access of a workforce member to ePHI is appropriate.
      2. It is the responsibility of the director/designate of each UCCS designated health care components to review role definitions and assignments for appropriateness at least annually.
      3. It is the responsibility of the director/designate of each UCCS designated health care component to review access management procedures for appropriateness at least annually.
    3. Access Authorization.
      1. It is the responsibility of the director/designate of each UCCS designated health care component to implement policies and procedures for granting access to ePHI, including through access to a workstation, transaction, program, process, or other mechanism.
      2. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to ensure there is a formal system for authorizing user access to ePHI, such as an account request form requiring management approval.
      3. It is the responsibility of the director/designate of each UCCS designated health care component to ensure access is to be granted in accordance with a role-based approach.
      4. It is the responsibility of the director/designate of each UCCS designated health care component to maintain documentation of all authorized users of ePHI and their access levels.
      5. It is the responsibility of the director/designate of each UCCS designated health care component to ensure workforce members must receive security awareness and HIPAA training prior to obtaining access to ePHI see Attachment 6 HIPAA Training Policy.
      6. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to ensure HIPAA systems must have the capacity to set access controls.
    4. Access Establishment and Modification.
      1. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to implement policies and procedures that, based upon the UCCS designated health care component’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
      2. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer and the UCCS OIT to develop and implement procedures to establish, document, review and modify a user’s access to ePHI. Access shall use the principle of “least privileges.” For purposes of this document, “least privileges” means giving a user account only those privileges which are essential to perform its intended function.
      3. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to ensure procedures include a regular review of those with access to ePHI, including the appropriateness of access levels. The period for which and the extent, frequency, and nature of reviews are determined by the UCCS designated health care component’s security environment and overall security management process. The UCCS security officer will determine the period of review at least annually.
      4. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer and the UCCS OIT to ensure procedures must require prompt initiation of account modifications/termination.
    5. Termination Procedures.
      1. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS OIT in conjunction with the Department of Human Resources to implement procedures for terminating access to ePHI when the employment of a workforce member ends.
      2. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to establish account maintenance procedures that ensure termination of accounts or change in access privileges for individuals who have been terminated or are no longer authorized to access ePHI.
    6. Documentation. All documentation required by this policy must be retained for a period of six (6) years from when it was created or was last in effect, whichever is later.

    Related Policies

    Code of Conduct
    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)
    UCCS Campus Policy 300-022 Employment Background Checks

     

    Reference

    45 CFR § 164.308(a)(3)
    The Health Information Technology for Economic and Clinical Health Act (HITECH Act)
    National Institute for Standards and Technology (“NIST”)

     

    HIPAA Security Reminders Policy

    Attachment 15

    Scope of Policy

    This policy governs the creation and implementation of security reminders for UCCS and its designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce. Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to develop or acquire and to use appropriate information security reminders, or other information security awareness resources, on a regular basis
    2. The UCCS privacy officer and UCCS security officer shall assume responsibility for developing or acquiring such reminders and resources, and for implementing a plan and program ensuring their frequent use
    3. It is the Policy of UCCS and its designated health care components to document all information security reminder-related activities and efforts in accordance with HIPAA regulations
    4. The frequent use of appropriate security reminders and other information security awareness resources can reduce the likelihood of data breaches and HIPAA violations.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to establish security awareness and HIPAA training for all UCCS workforce members involved in the creation, transmission, and storage of ePHI. Training activities include:
      1. Initial security awareness and HIPAA training for individuals with ePHI-related job duties. Training will include UCCS Password Standards and the importance of protecting against malicious software and exploitation of vulnerabilities.
      2. Review of changes to internal policies, procedures, and technologies
      3. Periodic reminders about security awareness and HIPAA
      4. Security notices or updates regarding current threats
    2. It is the responsibility of the director/designate of each UCCS designated health care component as well as the UCCS security officer to ensure HIPAA entities must maintain records of training materials and completion of training for six years

    Related Policies

    Code of Conduct

    Data Governance

    E-Mail as Official Means of Communication

    IT Security Program

    Social Media Policy

    Reporting and filing a complaint

    Reference

    45 CFR § 164.308(a)(5)

    HIPAA Malware Protection Policy

    Attachment 16

    Scope of Policy

    This policy governs malware protection for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce. Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to develop and apply a rigorous program of techniques, technologies, and methods to guard against, detect, and report the presence of malicious software
    2. The use of appropriate techniques, technologies, and methods to protect information systems from malicious software (“malware”) is a proven approach to reducing the likelihood of data breaches, system malfunctions, and HIPAA violations.
    3. Responsibility for malware protection shall reside with the UCCS security officer, who shall ensure that the most effective and appropriate techniques, technologies, and methods are continuously used to protect our information systems, and the individually identifiable health information they contain, from malicious software.
    4. It is the Policy of UCCS and its designated health care components to fully document all malware protection-related activities and efforts, in accordance with our documentation policy.

    Procedures

    1. It is the responsibility of the UCCS security officer, in conjunction with the UCCS Office of Information Technology (OIT) to protect all devices against malicious software, such as computer viruses, Trojan horses, and spyware. It is the responsibility of the UCCS security officer, in conjunction with the UCCS OIT to also ensure the safeguards and appropriate configurations are included in the standard set-up procedures for new systems and workstations that contain or access electronic protected health information (ePHI).
    2. It is the responsibility of the UCCS security officer, in conjunction with the UCCS OIT, to run versions of operating systems and application software for which security patches are made available and installed in a timely manner in accordance with UCCS Security Standards for Information Systems. The UCCS security officer will determine the period of review at least annually.
    3. It is the responsibility of the UCCS security officer, in conjunction with the UCCS OIT, to “harden” systems. “Hardening” includes:
      1. Installing OS and third-party application updates (patches) and keeping them current
      2. Changing or removing default logins/passwords
      3. Disabling unnecessary services.
      4. Installing virus and malware protection software and updating them at least weekly.
      5. Setting proper file/directory ownership/permissions.
    4. It is the responsibility of the UCCS security officer, in conjunction with the UCCS OIT to periodically, and at least annually, review HIPAA workstation settings to ensure that they comply with UCCS Security Standards for Information Systems and UCCS Policy 700-002 Responsible Computing Section II.B.1.a.
    5. It is the responsibility of the UCCS security officer, in conjunction with the UCCS OIT, to perform periodic network vulnerability scans of systems containing known ePHI, and workstations that access ePHI, and take adequate steps to correct discovered vulnerabilities.
    6. It is the responsibility of the UCCS security officer, in conjunction with the UCCS OIT, to implement e-mail malicious code filtering
    7. It is the responsibility of the UCCS security officer, in conjunction with the UCCS OIT, to install/enable firewalls (hardware and/or software) to reduce threat of unauthorized remote access
    8. It is the responsibility of the UCCS security officer, in conjunction with the UCCS OIT to ensure intrusion detection software and/or systems may also be installed to detect threat of unauthorized remote access.

    Related Policies

    APS 6005 IT Security Program Policy

    Data Governance

    Electronic Communications

    E-Mail as Official Means of Communication

    IT Security Program

    Reporting and filing a complaint (see Compliance and Ethics Website)

    UCCS 700-005 Computer Security Incident Response

    Reference

    45 CFR § 164.308(a)(5)

    The Health Information Technology for Economic and Clinical Health Act (HITECH Act)

    National Institute for Standards and Technology (“NIST”)

    HIPAA Password Management Policy

    Attachment 17

    Scope of Policy

    This policy governs information systems password management for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to require the use of strong passwords by all workforce members who access, use, or maintain systems that contain, transmit, receive, or use individually identifiable health information.
    2. Individuals who access protected health information (PHI) are responsible for choosing passwords that adhere to the password procedures defined by the software system administrator and the referenced HIPAA best practices.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component, as well as the UCCS security officer, in conjunction with the UCCS Office of Information Technology (OIT), to ensure compliance with procedures for creating, changing, and safeguarding passwords.
    2. It is the responsibility of each UCCS designated health care component's leadership, as well as the UCCS security officer to enforce password strength requirements for access by third-party access, when possible.
    3. It is the responsibility of the director/designate of each UCCS designated health care component, as well as the UCCS security officer, to ensure that workforce members understand password procedures.
    4. All workforce members must follow password management best practices as emphasized in HIPAA training programs, security reminders, and HIPAA awareness resources used by this organization.
    5. In the event of a known information system compromise, some or all workforce-member passwords must be changed. This determination shall be made by the UCCS security officer.
    6. Any workforce member who experiences any compromise of their password or pass-phrase shall follow the requirements in Attachment 5 Breach Notification Policy.

    Related Policies

    APS 6005 IT Security Program Policy
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)
    UCCS 700-002 Responsible Computing
    UCCS 700-003 Information Technology Security
    UCCS 700-005 Computer Security Incident Response

    Reference

    45 CFR § 164.308(a)(5)
    45 CFR § 164.306

    HIPAA Security Incident Policy

    Attachment 18

    Scope of Policy

    This policy governs responses to security incidents involving the breach or compromise of protected health information (PHI) for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to rapidly identify and appropriately respond to all security incidents, regardless of their severity.
    2. Responsibility for responding to and managing security incidents shall reside with the UCCS security officer and, if necessary, the UCCS privacy officer.
    3. It is the responsibility of each UCCS designated health care component's leadership, as well as the UCCS security officer, in conjunction with UCCS Office of Information Technology (OIT), to develop procedures for Incident Response related to electronic PHI (ePHI).
    4. It is the Policy of UCCS and its designated health care components to fully document all security incidents and responses, in accordance with UCCS documentation procedures and HIPAA requirements.

    Procedures

    1. Security Incident. A security incident or breach is an attempted or successful acquisition, unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system in a manner not permitted under the HIPAA Security Rule which compromises the security or privacy of the PHI.
    2. Response and Reporting. UCCS is required to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of known incidents; and document incidents and their outcomes. This includes improper network activity and misuse of outside data.
      1. Suspected Incident Occurs. A security incident may occur through a misuse of UCCS OIT resources that results in a widespread intentional or unintentional compromise of information security. Also, large scale intrusions into a computing network may lead to unauthorized access to sensitive information and a lost or stolen laptop may result in a security incident involving sensitive data.
      2. Incident Detected. Incidents may be detected through many different means, with varying levels of detail. Automated detection capabilities include network-based and host-based intrusion detection systems, antivirus software, and log analyzers. Incidents may also be detected through manual means, such as problems reported by users. While some incidents have overt signs that can be easily detected, others are almost impossible to detect without automation.
      3. Do Not Disturb. No one is to disturb implicated data or devices. The incident may require further investigation. It is important that nothing be disturbed at this step of the procedure.
      4. Report. Anyone who suspects that a privacy or security incident or breach has occurred is to report incidents to:
        1. The director/designate of the affected UCCS designated health care component;
        2. The UCCS privacy officer at comply@uccs.edu ; and
        3. The UCCS security officer at security@uccs.edu.
      5. Mitigate - if possible, mitigate any harmful effects of the incident that are known. This may mean removing the affected device(s) from the network.
      6. Categorize Incident. It is the responsibility of the director/designate of each UCCS designated health care component and the UCCS security officer to categorize the incident as:
        1. "Denial of Service" is an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and/or disk space.
        2. "Malicious Code" refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the security or integrity of the victim's data. Malicious code is usually designed to perform these inappropriate functions without the user's knowledge. Viruses, worms, and Trojan horses are considered forms of malicious code.
        3. "Unauthorized Access" occurs when a person gains logical or physical access without permission to a network, system, application, data, or other resource. Unauthorized access is typically gained through the exploitation of operating system or application vulnerabilities, by getting hold of usernames and passwords, or social engineering.
        4. "Inappropriate Usage" occurs when a legitimate user violates acceptable computing use policies. Examples of inappropriate use include sending spam promoting a personal business, sending email perceived as harassing individuals, etc. Inappropriate use issues may not constitute a security incident but must be assessed by the UCCS security officer to determine if the inappropriate usage has created a security incident.
        5. "Multiple Component" is a single incident that encompasses two or more incidents or falls into multiple incident categories. These incidents should be handled in line with the severest infraction involved.
      7. Investigate and Respond to Incident. It is the responsibility of the UCCS security officer in conjunction with UCCS OIT to investigate and respond to the incident and mitigate any harmful effects of the incident, if possible.
        1. If the incident cannot be handled by the UCCS security officer and/or UCCS OIT, the UCCS security officer will call an ad hoc meeting of appropriate individuals to make up an incident response team to investigate and respond to the incident. The ad hoc group may be composed of some or all of the following members or their representatives, as determined by the UCCS security officer to appropriately respond to the incident:
          1. Assistant Vice Chancellor for Information Technology and Chief Information Officer
          2. Registrar (if student data);
          3. Human Resources;
          4. UCCS Legal Counsel;
          5. UCCS Office of Compliance;
          6. Vice Chancellor of affected unit;
          7. Dean, Director, Chair, or Head of affected unit;
          8. Public Relations;
          9. Campus Police;
          10. Appropriate Office of Information Technology personnel;
          11. UCCS Privacy Officer;
          12. Others, as determined by the UCCS security officer.
        2. If the incident is of significant magnitude, the following members should be considered by the UCCS security officer for inclusion in the group:
          1. Internal Audit;
          2. CU-System Legal Counsel;
          3. CU-System Public Relations;
          4. Other CU Campus Information Technology or OIT Offices;
          5. Risk Management.
      8. Documentation. It is the responsibility of the director/designate of each UCCS designated health care component, as well as the UCCS security officer to ensure that the incident, investigation, response, and outcome is properly documented. The UCCS security officer, UCCS OIT, and/or the response team must document the security incident, investigation of the incident, and response and remediation. The UCCS security officer is responsible for retaining documentation of incidents.
      9. Conclusion. The UCCS security officer, UCCS OIT, and/or the response team should determine if policies or procedures need to be implemented to prevent a reoccurrence of the incident or if additional campus education or purchase of network or computing security devices are needed to prevent similar future incidents.
    3. Additional Documentation.
      1. All breach notification activities will be managed by the UCCS privacy officer and the UCCS security officer who will report to the Office of Civil Rights with the assistance and cooperation of involved UCCS staff and departments. This includes notice to affected individuals and to the Secretary of Health and Human Services and the Office of Civil Rights.
      2. Security incident procedure documentation and changes shall be retained for six (6) years.

    Related Policies

    Code of Conduct
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    Employment Background Checks
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)
    UCCS Policy 700-004 Wireless Network (8/5/2016)
    UCCS Policy 700-005 UCCS Computer Security Policy (8/5/2016)

    Reference

    45 CFR § 164.308(a)(6)
    45 CFR § § 164.400 to 164.414

    Data Backup and Storage Policy

    Attachment 19

    Scope of Policy

    This policy governs data backup and storage for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to create and maintain complete, retrievable, exact backups of all individually identifiable health information generally, and electronic protected health information (ePHI) specifically, held, processed, or stored in the course of business operations, in full compliance with all the requirements of HIPAA.
    2. All data backups shall be created and maintained in such manner as to ensure that the maximum degree of data integrity, availability, and confidentiality are maintained at all times.
    3. The storage of data backups in a separate location, removed from normal business operations (offsite) is an essential element of any successful data backup plan.
    4. Backups help to ensure that healthcare providers and others have immediate, around-the-clock access to patient information.
    5. It is the Policy of UCCS and its designated health care components to create retrievable, exact copies of ePHI, when needed, before any movement or maintenance of data processing equipment that could result in the loss or compromise of ePHI.
    6. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to perform appropriate backups on UCCS designated health care component's network, including shared drives containing application data, patient information, financial data, and crucial system information.
    7. The ability to create and maintain retrievable, exact copies of individually identifiable health information generally, and ePHI specifically, is a critical element of our business operations and our ability to respond to unexpected negative events.
    8. Timely access to health information is crucial to providing high quality health care, and to our business operations.

    Procedures

    1. Data Backup.
      1. It is the responsibility of the director/designate of each UCCS designated health care component to ensure the back up of original sources of essential ePHI is done on an established schedule.
      2. It is the responsibility of the director/designate of each UCCS designated health care component to ensure backup copies are securely stored in a physically separate location from the data source.
      3. It is the responsibility of the director/designate of each UCCS designated health care component to ensure backups containing ePHI will be transported via secure methods.
      4. It is the responsibility of the director/designate of each UCCS designated health care component to ensure documentation exists to verify the creation of backups and their secure storage.
    2. Accountability.
      1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to maintain a record of the movements of hardware and electronic media and any person responsible therefore.
      2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to maintain a record of the movements of, and individual(s) responsible for, hardware and electronic media containing ePHI.
        1. The record(s) should identify all types of hardware and electronic media that must be tracked.
          1. Special attention must be paid to portable devices and removable media. These devices should not ordinarily contain ePHI and must be individually identified in the tracking system in order to contain ePHI. Their use must be consistent with the individual's identified role, such as according to a role-based matrix.
          2. This inventory should be physically confirmed at least annually.
        2. The tracking system must include a mechanism for documenting the initial assignment of responsibility for devices that contain ePHI, as well as the transfer of authority for these devices.
      3. Transport of archival media between the origination point and remote storage location must use a secure method to avoid unauthorized access to the archival media.
      4. Loss or theft of electronic equipment or media containing ePHI must immediately be reported according Attachment 18 Security Incident Policy.
    3. Data backup and storage.
      1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
      2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to create a retrievable, exact copy of original sources of essential ePHI before moving equipment containing them.
      3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to establish a process for documenting or verifying creation of retrievable, exact copy of original sources of essential ePHI.
      4. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to develop retrievable, exact copies of ePHI that must be protected in accordance with these Standards.

    Related Policies

    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.308(a)(7)
    45 CFR § 164.310(a)(1-2)
    45 CFR § 164. 164.310(d)(2)(iii)

    HIPAA Disaster Recovery Policy

    Attachment 20

    Scope of Policy

    This policy governs contingency disaster recovery planning for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish and implement processes and procedures to create and maintain procedures for recovery of electronic protected health information (ePHI) and associated technology in the event of a disaster.
    2. A disaster may occur at any time, not necessarily during work hours.
    3. UCCS designated health care components must make reasonable efforts to remain operational with as little disruption of business operations and patient care as possible.
    4. Continuity of patient care requires uninterrupted access to patient information.
    5. In a dangerous emergency, evacuating personnel has priority over preserving information assets.
    6. The following conditions can destroy or disrupt UCCS designated health care components information systems: power interruption, fire, water, weather and other natural phenomena, sabotage, and vandalism.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to establish procedures to restore loss of essential ePHI (and hardcopy PHI) as a result of a disaster or emergency.
    2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to maintain copies of the data restoration procedures that are readily accessible at more than one location and should not rely on the availability of local power or network.
    3. It is the responsibility of the director/designate of each UCCS designated health care component and the UCCS security officer to ensure that backup procedures include steps to ensure that all protections (patches, configurations, permissions, firewalls, etc.) are re-applied and restored before ePHI is restored to a system.
    4. The UCCS director of emergency management should be contacted as appropriate.

    Related Policies

    Code of Conduct
    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)
    UCCS Public Safety Website

    Reference

    45 CFR § 164.308(a)(7)

    Emergency Mode Operations Policy

    Attachment 21

    Scope of Policy

    This policy governs emergency mode operations and planning for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish this emergency mode operations policy to implement procedures to enable continuation of critical business processes for the protection of individually identifiable health information while operating in emergency mode.
    2. This emergency mode operations policy is designed to ensure the protection and availability of individually identifiable health information and protected health information (PHI) during emergencies requiring UCCS designated health care components to operate in “emergency mode”.
    3. UCCS designated health care components must comply with HIPAA and the HIPAA implementing regulations pertaining to emergency mode operations planning, in accordance with the requirements at § 164.308(a)(7).
    4. Individually identifiable health information must be protected during emergencies, even as it is protected during normal operations.
    5. The University’s emergency mode operations plan must be implemented and executed by the director/designate of each UCCS designated health care component in conjunction with other emergency and/or disaster plans and procedures, as appropriate and necessary.
    6. It is the Policy of UCCS and its designated health care components to fully document all emergency planning and preparedness activities and efforts.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure that HIPAA entity emergency operations procedures maintain security protections for ePHI.
    2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to evaluate operations in emergency mode, like a technical failure or power outage, to determine whether security processes to protect ePHI are maintained.
    3. It is the responsibility of the director/designate of each UCCS designated health care component to document assessment and conclusions.
    4. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to document and implement additional authorities and procedures necessary to ensure the continuation of security protections for ePHI during emergency operations mode.
    5. It is the responsibility of the director/designate of each UCCS designated health care component to develop plans for evacuations.
      1. Each UCCS designated health care component’s emergency response plan shall include logging out of systems that contain ePHI, securing files, and locking up before evacuating a building, if safe to do so.
      2. UCCS designated health care components should have processes to ensure there was no breach when the area is re-occupied.
    6. The UCCS director of emergency management should be contacted as appropriate.

    Related Policies

    Code of Conduct
    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)
    UCCS Public Safety Website

    Reference

    45 CFR § 164.308(a)(7)

    Policy on Testing and Revision of Contingency and Emergency Plans and Procedures

    Attachment 22

    Scope of Policy

    This policy governs testing and revision of contingency and emergency plans and procedures for UCCS and its designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to periodically test and revise, as necessary, all emergency preparedness plans, including emergency and contingency plans.
    2. UCCS designated health care components must comply with HIPAA and the HIPAA implementing regulations pertaining to the testing and revision of emergency and contingency plans and procedures, in accordance with the requirements at § 164.308(a)(7).
    3. Emergency and contingency plans, and the procedures associated with them, must be periodically tested and revised to ensure that they meet the emergency preparedness needs of UCCS designated health care components.
    4. It is the Policy of UCCS and its designated health care components that all individually identifiable health information, including protected health information (PHI), shall be afforded the same degree of security and privacy protection during the execution of any emergency or contingency plan as such information would receive during normal business operations.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to implement procedures for periodic testing and revision of contingency plans.
    2. It is the responsibility of the director/designate of each UCCS designated health care component to document the contingency plan procedures.
    3. It is the responsibility of the director/designate of each UCCS designated health care component to ensure that those responsible for executing contingency plan procedures understand their responsibilities.
    4. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to periodically, and at least annually, perform a test of the contingency plan procedures.
    5. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to document test results, review and correct any problems with the test, and update procedures accordingly.
    6. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure that individually identifiable health information, including PHI, must be afforded the same degree of security and privacy protection during the execution of any emergency or contingency plan as such information would receive during normal business operations.

    Related Policies

    Code of Conduct
    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)
    UCCS Public Safety Website

    Reference

    45 CFR § 164.308(a)(7)

    Policy on Applications and Data Criticality Analysis

    Attachment 23

    Scope of Policy

    This policy governs data and applications criticality analyses for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to assess the relative criticality of all data, as defined by the UCCS security officer, so that such data may be properly protected during emergencies and during normal business operations.
    2. UCCS designated health care components must comply with HIPAA and the HIPAA implementing regulations pertaining to the analysis of the relative criticality of both data and applications, in accordance with the requirements at § 164.308(a)(7).
    3. A thorough assessment and understanding of the relative criticality of both data and applications is essential to emergency preparedness, and to effectively protecting individually identifiable health information, including protected health information (PHI) during emergencies and during normal business operations.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to prioritize criticality of applications and data sets for data back-up, restoration, and application of emergency mode operation plan.
    2. Priorities can be included in data restoration procedures, Attachment 20 Disaster Recovery Policy.

    Related Policies

    Code of Conduct
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    Employment Background Checks
    IT Security Program
    Social Media Policy
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.308(a)(7)

    Policy on Evaluating the Effectiveness of Security Policies and Procedures

    Attachment 24

    Scope of Policy

    This policy governs periodic evaluations of the effectiveness of security policies and procedures for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to periodically evaluate security policies and procedures, including emergency and contingency plans and procedures, in order to improve their effectiveness.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer and the UCCS privacy officer to review and update their HIPAA related policies and practices for compliance every five (5) years, or more frequently in response to environmental or operational changes that affect the security of electronic protected health information (ePHI).
      1. The director/designate of each UCCS designated health care component shall submit to the UCCS security officer and the UCCS privacy officer once annually by calendar year-end a list of titles and last revision dates of the policies designed to meet HIPAA Privacy and Security Rule requirements and provide copies upon request.
    2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer and the UCCS privacy officer to review and update unit policies and procedures annually if there is no trigger for more frequent review.
    3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer and the UCCS privacy officer to identify the individual(s) responsible for determining when evaluation is necessary due to environmental or operational changes.
    4. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer and the UCCS privacy officer to document periodic reviews the updates and archive previous versions of policies and retain for six years as per Attachment 2 Documentation Policy (Retention).

    Related Policies

    Code of Conduct
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.308(a)(8)

    Business Associates Policy

    Attachment 25

    Scope of Policy

    This policy governs relationships with, and operations involving business associates for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    It is the Policy of UCCS and its designated health care components to establish and maintain business and working relationships with business associates that are in full compliance with all the requirements of HIPAA Final “Omnibus” Rule.

    Procedures

    1. Responsibility for maintaining appropriate and lawful relationships with business associates shall reside with each director/designate of a UCCS designated health care component in conjunction with the UCCS privacy officer and legal counsel, who shall ensure that: all aspects of the University's business associate relationships are appropriate; and individually identifiable health information, including protected health information (PHI), as defined by HIPAA, is properly protected and safeguarded by our business associates.
    2. Whenever possible the Business Associate Agreement (BAA) template form should be used and signed by the proper signatory with delegated authority pursuant to UCCS Campus Policy 100- 011 Managing and Executing University Contracts. If the BAA template is not used, the director/designate of the UCCS designated health care component must send the BAA to the UCCS privacy officer and legal counsel for review and approval.
    3. With regard to business associates, the duties and responsibilities of each director/designate of UCCS designated health care components, in conjunction with the UCCS privacy officer, shall include, but are not limited to the following:
      1. Ensure that all business associate contracts meet all HIPAA requirements and standards, including those requirements and standards amended by the HITECH Act, the HIPAA "Omnibus" Final Rule, and any requirements Colorado state law. All business associate contracts must:
        1. Ensure that individually identifiable health information, including PHI, is properly protected and safeguarded by business associates.
        2. Ensure that business associates understand the importance and necessity of protecting individually identifiable health information, including PHI, whether in electronic form (ePHI) or hardcopy form.
        3. Ensure that business associates have proper and appropriate safeguards in place for individually identifiable health information, including PHI, before entrusting such information to them.
        4. Ensure that business associates understand and are properly prepared to detect and respond to breaches of individually identifiable health information, including PHI.
    4. In cooperation with the University, business associates may work with, use, transmit, and/or receive individually identifiable health information, including PHI, which is afforded specific protections under HIPAA.
    5. Each director/designate of UCCS designated health care components has the primary responsibility in all business associate relationships to ensure that individually identifiable health information, including PHI, is properly protected and safeguarded.
    6. The HIPAA ("Omnibus") Final Rule specifically identifies the following types of entities as potential business associates:
      1. Subcontractors
      2. Patient safety organizations.
      3. Health Information Organizations (HIOs) and similar organizations. Health and Human Services declined to specifically define HIOs in the Omnibus Rule but chose the term "HIO" because it includes both Health Information Exchanges (HIEs) and regional health information organizations.
      4. E-Prescribing gateways.
      5. Personal Health Record (PHR) vendors that provide services on behalf of a covered entity. PHR vendors that do not offer PHRs on behalf of UCCS designated health care components are not business associates.
      6. Other firms or persons who "facilitate data transmission" that requires routine access to PHI.
    7. The minimum necessary standard now applies directly to business associates and their subcontractors. When using, disclosing or requesting PHI, all these entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
    8. Subcontractors of business associates are now business associates themselves. A subcontractor is defined as a person or entity to whom a business associate delegates a function, activity, or service involving PHI, and who is not a member of the business associate's own workforce. UCCS designated health care components are not required to enter into a contract or other arrangement with a business associate that is a subcontractor. That is the responsibility of the primary or first-tier business associate.
    9. Each director/designate of UCCS designated health care components shall fully document all business associate-related contracts and activities, in accordance with our Attachment 2 Documentation Policy and the requirements of HIPAA.

    Related Policies

    Code of Conduct
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    Employment Background Checks
    IT Security Program
    Managing and Executing University Contracts
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.308(b)(1)
    45 CFR § 164.410
    45 CFR § 164.502(e)
    45 CFR § 164.504(e)

    Contingency Operations Policy

    Attachment 26

    Scope of Policy

    This policy governs contingency operations planning and implementation for UCCS designated health
    care components. All workforce members of UCCS designated health care components must comply with
    this policy. Demonstrated competence in the requirements of this policy is an important part of the
    responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary
    workers, students, and volunteers associated with UCCS designated health care components must read,
    understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to be fully prepared to protect individually identifiable health information, including protected health information (PHI) and electronic PHI (ePHI), during emergencies and contingency operations.
    2. Contingency Operations, for purposes of this policy document, are defined as processes and procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
    3. Contingency Operations plans and procedures, in combination with other emergency preparedness plans and procedures, shall be documented, analyzed, revised, and updated periodically in accordance with other established emergency preparedness and documentation policies and procedures.
    4. Responsibility for planning and executing contingency operations shall reside with the director/designate of each UCCS designated health care component, who shall prepare, analyze, test, and update plans for contingency operations on a periodic basis.
    5. It is the Policy of UCCS designated health care components to fully document all contingency operations plans and procedures.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer, to establish, and implement as needed, procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
    2. It is the responsibility of the director/designate of each UCCS designated health care component to ensure that contingency procedures and authorization are documented, see Attachment 27 Facility Security Policy.

    Related Policies

    Code of Conduct
    Data Governance
    Electronic Communications
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.310(a)(1-2)

    Facility Security Policy

    Attachment 27

    Scope of Policy

    This policy governs facility security for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its Designated Health Care Components to provide facility security, in addition to other technical and administrative safeguards, in order to provide protection for individually identifiable health information, including Protected Health Information (PHI).
    2. In addition to other technical and administrative safeguards, strong facility security is an essential element of our efforts to provide protection for individually identifiable health information, including PHI.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer, UCCS privacy officer, and UCCS Facilities Services Department to implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
    2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure systems and electronic media containing PHI are located in physically secure locations. A secure location would minimally be defined as one that is not routinely accessible to the public, particularly if authorized personnel are not always available to monitor security.
    3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS Facilities Services Department to ensure that secure locations have physical access controls (card key, door locks, alarms, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security. If logging is available, it should be enabled.
    4. It is the responsibility of the UCCS Facilities Services Department in conjunction with the UCCS security officer to ensure access to control systems are maintained in good working order.

    Related Policies

    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.310(a)(1-2)
    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) National Institute for Standards and Technology (“NIST”)

    Access Control and Validation Policy

    Attachment 28

    Scope of Policy

    This policy governs access control and validation for UCCS designated health care components. All
    workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to implement and support strong and ongoing access control and validation procedures, in full compliance with all the requirements of HIPAA.
    2. Access control and validation procedures are designed to control and validate individual access to facilities based on role or function; including visitor control and access control for software testing and revision.
    3. Strong access control and validation procedures are an essential element of protecting individually identifiable health information, including protected health information (PHI).

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer and the UCCS privacy officer to implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
    2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to develop an access plan for facilities containing electronic PHI (ePHI) that utilizes role- or function-based access control, including for visitors, service providers, and contractors.
    3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure the role- or function-based access control and validation procedures are closely aligned with the facility security plan.
    4. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure the security plan for facilities containing ePHI includes key systems or electronic door access.
    5. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer, the UCCS privacy officer, the UCCS Department of Facility Services, and the UCCS Department of Human Resources to conduct a periodic (at least annual) review and implementation of termination procedures, which may include a review of key inventory or electronic door access, to ensure currency of access authorization.

    Related Policies

    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.310(a)(1-2)
    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) National Institute for Standards and Technology (“NIST”)

    Facility Security Maintenance Records Policy

    Attachment 29

    Scope of Policy

    This policy governs the disposition of records pertaining to maintenance of the physical security of UCCS designated health care components facilities. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to create and maintain complete facility security maintenance records, in full compliance with all the requirements of HIPAA.
    2. Facility security maintenance records are created to document repairs and changes to physical elements of a facility related to security.
    3. It is the Policy of UCCS and its designated health care components to fully document facility security maintenance records-related activities and efforts.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS Facility Services Department to implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security, such as hardware, walls, doors, and locks.
    2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS Facility Services Department to develop policies and procedures for maintaining a record of any maintenance repairs and modifications to physical components of a facility containing electronic protected health information (ePHI) related to security, such as hardware, walls, doors, and locks.
      1. Documentation should contain appropriate detail for review, including date, repair, and/or modification(s) made, and the contractor’s name and contact information.
      2. Documentation should be stored securely.
    3. It is the responsibility of each UCCS designated health care component’s leadership in conjunction with the UCCS Facility Services Department to identify individual(s) responsible for recording and maintaining these records.

    Related Policies

    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.310(a)(1-2)
    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) National Institute for Standards and Technology (“NIST”)

    Workstation Use and Security Policy

    Attachment 30

    Scope of Policy

    This policy governs information use and security for UCCS designated health care components. All
    workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to configure, operate, and maintain our information workstations in full compliance with all the requirements of HIPAA.
    2. UCCS’s objective in these efforts is to provide reasonable protections for individually identifiable health information, including protected health information (PHI).
    3. Specific procedures shall be developed to specify the proper functions, procedures, and appropriate environments of workstations that access individually identifiable health information, including PHI.
    4. Responsibility for the development and implementation of this workstation security policy, and any procedures associated with it, shall reside with the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
    5. Specific procedures shall be developed to implement physical safeguards for all workstations that access individually identifiable health information, including PHI, to restrict access to authorized users only.
    6. It is the Policy of UCCS and its designated health care components to fully document all workstation-use-related activities and efforts, in accordance with the requirements of HIPAA.

    Procedures

    1. Workstation Use.
      1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI (ePHI).
      2. Procedures for securing all UCCS workstations are defined by the UCCS Office of Information Technology (OIT) in Security Standards for Information Systems.
      3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure functions to be performed on workstations containing or accessing ePHI are aligned with roles.
      4. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to develop policies and procedures that specify where to place and position workstations to only allow viewing by authorized individuals, as well as additional privacy measures, commensurate with the risk of exposure.
      5. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure unencrypted ePHI will not be stored on portable electronic devices, including laptops.
      6. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure storage of ePHI on non- University equipment is forbidden, except in the case of storage by a third party with a HIPAA Business Associate Agreement.
      7. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer and the UCCS OIT to ensure remote access of ePHI will utilize secure channels.
      8. It is the responsibility of each workforce member to lock their computer when not in use and secure any PHI visible to non-workforce members.
    2. Workstation Security
      1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure all workstations, including laptops, containing ePHI are to be physically secured, meaning locked down.
      2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure all workstations and electronic devices that contain or access ePHI will be identified, such as laptops, desktop computers, and personal digital assistants (PDAs).
      3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure unencrypted ePHI will not be stored on portable electronic devices, including laptops.
      4. If ePHI is stored on removable media, additional physical controls must be implemented, such as ensuring that the device is physically secured or in the physical possession of the responsible party. Encryption is a compensating control for these additional measures.

    Related Policies

    Code of Conduct
    Data Governance
    Electronic Communications
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.310(b-c)

    Media Disposal and Re-Use Hardware and Media Accountability Policy

    Attachment 31

    Scope of Policy

    This policy governs media disposal and re-use for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to dispose of all media containing individually identifiable health information, including protected health information (PHI) and maintain records of the movements of hardware and electronic media, in full compliance with all the requirements of HIPAA.
    2. Media containing individually identifiable health information, including PHI, must be completely erased, properly encrypted, or totally destroyed in its final disposition, or the data residing on such media is subject to recovery and subsequent misuse or theft.
    3. It is the Policy of UCCS and its designated health care components to properly erase and/or sanitize (“wipe”) all media containing individually identifiable health information, including PHI, before any media may be re-used.
    4. Responsibility for proper media disposal and disposition shall reside with the director/designate of each UCCS designated health care component, who shall develop procedures to ensure the proper disposition of all such media.
    5. Responsibility for proper media re-use shall reside with the director/designate of each UCCS designated health care components, who shall develop procedures to ensure the proper disposition of all such media before any re-use.
    6. It is the Policy of UCCS and its designated health care components to maintain records of the movements of hardware and electronic media, and any person responsible therefore, in full compliance with all the requirements of HIPAA.
    7. Responsibility for the development and implementation of this hardware and media accountability policy, and any procedures associated with it, shall reside with the director/designate of each UCCS designated health care component, who shall ensure that these procedures are maintained, updated as necessary, and implemented fully within the healthcare component.
    8. Specific procedures shall be developed to ensure that UCCS maintains records of the movements of hardware and electronic media, and any person responsible therefore.

    Procedures

    1. Device and Media Disposal.
      1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to implement policies and procedures to address the final disposition of electronic PHI (ePHI), and/or the hardware or electronic media on which it is stored, see section 1.c below.
      2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure that ePHI on hardware and electronic media, including copiers, faxes, printers, etc., is unusable and/or inaccessible prior to disposal, including disposal by a business associate (Attachment 25 Business Associates).
      3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to follow UCCS Policy 700-006 Computer and Electronics Disposal.
      4. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure that when portable media is discarded, it must either be overwritten in accordance with National Institute of Standards and Technology (NIST) guidelines, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf, or physically destroyed, eliminating all possibility that any ePHI contents could be read.
      5. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure when a system is recycled, transferred to another user not authorized for the data, or discarded, all storage devices or all ePHI records must be overwritten in accordance with NIST guidelines (link above), or physically destroyed, rendering all ePHI records unreadable.
    2. Media Re-Use.
      1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
      2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to ensure that ePHI on hardware and electronic media is unusable and/or inaccessible prior to re-use.
      3. When a system is recycled or transferred to another user not authorized for the data, or otherwise re-used outside of a HIPAA-compliant environment, all storage devices or all ePHI records must be overwritten in accordance with National Institute of Standards and Technology (NIST) guidelines, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf, rendering all ePHI records unreadable.

    Related Policies

    Code of Conduct
    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)
    UCCS Campus Policy 700-002 Responsible Computing
    UCCS Campus Policy 700-005 Computer Security Incident Response
    UCCS Campus Policy 700-006 Computer and Electronic Disposal

    Reference

    45 CFR § 164.310(a)(1-2)
    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) National Institute for Standards and Technology (“NIST”)

    Unique User Identification Policy

    Attachment 32

    Scope of Policy

    This policy governs the issuance, maintenance, and security of unique user identification’s (ID’s) for access to UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to exclusively use unique user ID’s for all information system access and activities, in full compliance with all the requirements of HIPAA.
    2. Responsibility for the development and implementation of this unique user ID policy, and any procedures associated with it, shall reside with the director/designate of each UCCS designated health care component, who shall ensure that access to all UCCS information systems and data is accomplished exclusively through the use of unique user ID’s.
    3. Nothing in this policy shall limit the use of additional security measures, including login and access measures that may further enhance the security and protection UCCS provides to individually identifiable health information, including protected health information (PHI).

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to implement technical policies and procedures for electronic information systems that maintain electronic PHI (ePHI) to allow access only to those persons or software programs that have been granted access rights (Attachment 28 Access Control Validation Policy).
    2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to assign a unique name and/or number for identifying and tracking user identity.
    3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to provide a unique account, with a unique username/user ID and password, for access to ePHI.
    4. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to assure shared accounts are not permitted for access to ePHI.

    Related Policies

    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.310(a)(1-2)

    Emergency Access Policy

    Attachment 33

    Scope of Policy

    This policy governs access to protected health information (PHI) during emergencies affecting UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish and implement emergency access procedures, in full compliance with all the requirements of HIPAA.
    2. These emergency access procedures apply to access to individually identifiable health information, including PHI.
    3. Responsibility for the development and implementation of UCCS emergency access procedures shall reside with the director/designate of each UCCS designated health care component, who shall ensure that these procedures are maintained, updated as necessary, and implemented fully throughout their department.
    4. Specific procedures shall be developed to ensure that authorized workforce members can access individually identifiable health information, including PHI during emergencies.
    5. These emergency access procedures shall be developed and implemented in combination with our emergency preparedness and response plans.
    6. It is the Policy of UCCS and its designated health care components to fully document our emergency access procedures development and implementation, in accordance with our Attachment 2, “Documentation,” and the requirements of HIPAA.

    Procedures

    1. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to establish (and implement as needed) procedures for obtaining necessary electronic PHI (ePHI) during an emergency.
    2. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to establish procedures to ensure that necessary ePHI can be accessed during an emergency.
      1. Emergency access procedures may be included in contingency plan procedures (see Attachment 26 Contingency Operations Policy).
    3. It is the responsibility of the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer to develop emergency access procedures that shall be written and communicated in advance to all individuals in the department.
    4. It is the responsibility of the director/designate of each UCCS designated health care component to ensure emergency access procedures should not rely on the availability of a single individual.
    5. It is the responsibility of the director/designate of each UCCS designated health care component to ensure access to emergency procedures should not rely on the availability of local power or network.
    6. It is the responsibility of the director/designate of each UCCS designated health care component to identify roles that may require special access during an emergency.
      1. Individuals are to require proper ID or other official verification before granting access to unknown or not-normally-authorized individuals in emergency circumstances.

    Related Policies

    Code of Conduct
    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.104
    45 CFR § 164.306
    45 CFR § 164.312(a)(1)

    Automatic Log-Off Policy

    Attachment 34

    Scope of Policy

    This policy governs the implementation of automatic log-offs for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to always use automatic log- off applications or systems on all workstations and computers, in full compliance with the requirements of HIPAA.
    2. Responsibility for the development and implementation of this automatic log-off policy, and any procedures associated with it, shall reside with the director/designate of each UCCS designated health care component in conjunction with the UCCS security officer, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
    3. Specific procedures shall be developed to specify the proper functions and procedures of our automatic log-off systems on all computers and workstations that access individually identifiable health information, including protected health information (PHI).

    Procedures

    1. It is the responsibility of the UCCS security officer in conjunction with the director/designate of each UCCS designated health care component to implement electronic procedures that terminate an electronic session after a predetermined time of inactivity as per Attachment 38 Person or Entity Authentication.
    2. It is the responsibility of the UCCS security officer in conjunction with the director/designate of each UCCS designated health care component to ensure, where possible, that electronic sessions terminate after a period of inactivity.
    3. It is the responsibility of the UCCS security officer in conjunction with the director/designate of each UCCS designated health care component to ensure, where session termination is not possible, either technically or from a business process perspective, automatic workstation lockout is implemented as a compensating control.
    4. It is the responsibility of the UCCS security officer in conjunction with the director/designate of each UCCS designated health care component to ensure a maximum duration of inactivity prior to session termination or automatic workstation lockout is 10 minutes. The UCCS Office of Information Technology (OIT) may consider written requests for exceptions to the 10-minute requirement. These requests will be kept on file for 6 years.

    Related Policies

    Code of Conduct
    Computer and Electronic Disposal
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    Employment Background Checks
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.310(a)(1-2)

    Encryption and Decryption Policy

    Attachment 35

    Scope of Policy

    This policy governs the encryption and decryption of protected health information (PHI) for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish and maintain this encryption and decryption policy in full compliance with all the requirements of HIPAA.
    2. Responsibility for the development and implementation of this encryption and decryption policy, and any procedures associated with it, shall reside with UCCS security officer, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
    3. Specific procedures shall be developed to specify the proper usage and application of encryption and decryption for all computers and workstations that access individually identifiable health information, including PHI.

    Procedures

    1. It is the responsibility of the UCCS security officer in conjunction with the UCCS Office of Information Technology (OIT) to implement a mechanism to encrypt and decrypt electronic PHI (ePHI).
    2. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT to implement appropriate security measures, such as encryption, to protect ePHI from unauthorized access.
      1. Unencrypted ePHI will not be stored on portable electronic devices, including laptops (see Attachment 30 Workstation Use and Security
    3. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT to, in situations where encryption is problematic, implement the alternative compensating controls below as appropriate.
      1. It is the responsibility of the UCCS security officer to keep an explanation for why encryption is not being implemented.
      2. Alternative, reasonable, and appropriate compensating controls if encryption is not in place for stored ePHI:
        1. Access controls, including unique user ID & password authentication, and user profiles.
        2. Hardening of systems (see Attachment 31 Media Disposal and Re-Use/Hardware & Media Accountability - for details).
        3. Physical security for access to facilities and workstations that contain or access ePHI, including appropriate device and media controls.
        4. Technical enforcement of complex passwords where possible.
        5. Enabling of system security auditing/logging, including monitoring of audit reports/logs.
        6. Correct configuration of applications to use secure protocols.
        7. Implementation of automatic logoff and/or screen lock (see Attachment 34 Automatic Log-Off Policy for details).
        8. Secure remote access.
        9. Implementation of correctly configured firewalls (hardware and/or software).

     

    Related Policies

    Code of Conduct
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.310(a)(1-2)

    Audit Controls Policy

    Attachment 36

    Scope of Policy

    This policy governs audit controls for UCCS designated health care components. All workforce members
    of UCCS designated health care components must comply with this policy. Demonstrated competence in
    the requirements of this policy is an important part of the responsibilities of every member of the
    workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary
    workers, students, and volunteers associated with UCCS designated health care components must read,
    understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish and maintain appropriate and effective audit controls in full compliance with the requirements of HIPAA.
    2. Responsibility for the development and implementation of this audit controls policy, and any procedures associated with it, shall reside with the UCCS security officer, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
    3. Specific procedures shall be developed to specify the proper usage and application of audit controls for all computers, workstations, and systems that access individually identifiable health information, including protected health information (PHI).

    Procedures

    1. It is the responsibility of the UCCS security officer in conjunction with the UCCS Office of Information Technology (OIT), and if necessary the director/designate of each UCCS designated health care component, to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI (ePHI).
    2. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to establish criteria for log creation, retention, and examination of activity.
    3. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to review whether new systems should be selected and to ensure that all systems have the ability to support audit requirements.
    4. See Attachment 13 Information System Activity Review / Authorization & Supervision / Log-in Monitoring Policy for additional administrative practices.
    5. It is the responsibility of the director/designate of each UCCS designated health care component to assist the UCCS privacy officer and the UCCS security officer in the event there is a for-cause audit to access audit trails and any documentation necessary.

    Related Policies

    Code of Conduct
    Data Governance
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.312(b)

    Data Integrity Controls Policy

    Attachment 37

    Scope of Policy

    This policy governs data integrity controls for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish and maintain appropriate and effective data integrity controls in full compliance with the requirements of HIPAA.
    2. Responsibility for the development and implementation of this data integrity controls policy, and any procedures associated with it, shall reside with the UCCS security officer, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
    3. Specific procedures shall be developed to specify the proper usage and application of data integrity controls for all computers, workstations, and systems that access individually identifiable health information, including protected health information (PHI).

    Procedures

    1. It is the responsibility of the UCCS security officer in conjunction with the UCCS Office of Information Technology (OIT), and if necessary the director/designate of each UCCS designated health care component, to implement policies and procedures to protect electronic PHI (ePHI) from improper alteration or destruction.
    2. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
    3. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to leverage application-specific mechanisms or functionality when available to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
    4. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to regularly review access logs for unauthorized direct access or administrator/root access to table data containing ePHI. The frequency at which activity logs are reviewed and the extent, frequency, and nature of reviews are determined by the UCCS designated health care component’s security environment and overall security management process.
    5. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary each UCCS designated health care component’s leadership, to implement the following practices as a means of protecting ePHI from being altered or destroyed in an unauthorized manner:
      1. Ensure appropriate physical security is in place for devices that contain or access ePHI (see Attachment 15 Security Reminders Policy).
      2. Ensure HIPAA systems meet UCCS's Minimum Network Connectivity Requirements. C. Protect all devices against malicious software (see Attachment 16 Protection from malicious software.
      3. Protect sensitive data with appropriate strategies, such as secure file transfer (See Attachment 39 Data Transmission Security Policy).
      4. Implement processes to notify users and take other appropriate remedial action in the event of propagation of malicious software (see Attachment 16 Protection from malicious software.

     

    Related Policies

    Code of Conduct
    Computer and Electronic Disposal
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    Employment Background Checks
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.312(c)(1-2)

    Person or Entity Authentication Policy

    Attachment 38

    Scope of Policy

    This policy governs authentication of persons or entities seeking access to electronic protected health information (ePHI) in the possession of UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish and maintain this Policy in full compliance with all the requirements of HIPAA.
    2. Responsibility for the development and implementation of this Policy, and any procedures associated with it, shall reside with each director/designate of UCCS designated health care components, who shall ensure that this policy is maintained, updated as necessary, and implemented fully throughout our organization.
    3. Specific procedures shall be developed to specify the proper authentication of persons and entities who request access to individually identifiable health information, including protected health information (PHI) on UCCS computers, workstations and systems.

    Procedures

    1. It is the responsibility of the UCCS security officer in conjunction with the UCCS Office of Information Technology (OIT), and if necessary the director/designate of each UCCS designated health care component, to implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
    2. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to ensure each user must be provided a unique account, with a unique user Name/ID and password, for access to ePHI as per Attachment 32 Unique User Identification Policy.
      1. Generic or shared accounts are not permitted for access to ePHI.
      2. Passwords for access to ePHI will not be shared by UCCS employees or workforce members.
      3. All passwords providing access to ePHI, including local administrator/root passwords, must comply with the UCCS Policy on Responsible Computing 700-002.
      4. Physically protect passwords.
    3. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary each UCCS designated health care component’s leadership, to review, as appropriate,workstation, operating system, and application access logs, as well as failed or successful changes to account permissions (also see Attachment 28 Access Control and Validation Policy.))
    4. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to ensure systems and applications will not be configured to save passwords.
    5. All of the above practices apply to vendors and third parties. A notification or suspicion of misconduct should be reported to the UCCS privacy officer and the UCCS security officer as soon as possible as per Attachment 18 Security Incident Policy.

    Related Policies

    Code of Conduct
    Computer and Electronic Disposal
    Data Governance
    Employment Background Checks
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.312(d)

    Data Transmission Security Policy

    Attachment 39

    Scope of Policy

    This policy governs data transmission security for UCCS designated health care components. All workforce members of UCCS designated health care components must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the workforce.

    Those officers, agents, employees, business associates, contractors, affected vendors, temporary workers, students, and volunteers associated with UCCS designated health care components must read, understand, and comply with this policy in full and at all times.

    Policy Statement

    1. It is the Policy of UCCS and its designated health care components to establish and implement technical security measures to guard against unauthorized access to electronic protected health information (ePHI) that is being transmitted over an electronic communications network, in full compliance with the requirements of HIPAA.
    2. Responsibility for the development and implementation of these procedures shall reside with the UCCS security officer, who shall ensure that these procedures are maintained, updated as necessary, and implemented fully throughout our organization.
    3. Specific data transmission security procedures shall be developed to protect individually identifiable health information, including ePHI.

    Procedures

    1. It is the responsibility of the UCCS security officer in conjunction with the UCCS Office of Information Technology (OIT), and if necessary the director/designate of each UCCS designated health care component, to implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
    2. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection, until disposed.
    3. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to ensure wired and wireless transmission of ePHI will use secure protocols.
    4. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to ensure all remote access of ePHI must be by secure methods only.
    5. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to ensure unprotected ePHI shall not be sent via unencrypted methods.
      • It is acceptable to send ePHI via email in encrypted, password-protected attachments to known business partners, and in response to legitimate requests if no secure channel exists.
    6. UCCS workforce members must delete or redact ePHI from the body of received email before replying to it.
    7. It is the responsibility of the UCCS security officer in conjunction with the UCCS OIT, and if necessary the director/designate of each UCCS designated health care component, to implement a mechanism to encrypt ePHI whenever deemed appropriate.

    Related Policies

    Code of Conduct
    Computer and Electronic Disposal
    Data Governance
    Electronic Communications
    E-Mail as Official Means of Communication
    IT Security Program
    Reporting and filing a complaint (see Compliance and Ethics Website)

    Reference

    45 CFR § 164.312(e)(1)