Section: Employee Relations
Policy Number: 710Responsible Office: General Counsel
Effective Date: 4/14/03Revised: 1/17/06; 8/1/16
Administrators, staff and faculty may use these complaint procedures.
Overview of HIPAA’s Privacy Rules
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law enacted by Congress in 1996. The law originally sought to protect employees who changed jobs against the loss of health insurance, or from being subject to exclusions for pre-existing conditions under their new health insurance. HIPAA’s privacy rules became effective on April 14, 2003. The HIPAA privacy rules provide guidelines for safeguarding the use and disclosure of individually identifiable health information. The University has an obligation to reasonably safeguard this protected health information (“PHI”) from any intentional or unintentional use or disclosure that is in violation of the privacy rules. In general, covered entities, or covered components of hybrid entities may not use or disclose PHI except as authorized by the individual or as explicitly permitted by the privacy rules.
Protected Health Information (“PHI”)
PHI is individually identifiable health information created or received by a covered entity or covered component that relates to the physical or mental health or condition of the individual, or payment for the health care of the individual, regardless of the form in which the information is stored.
Covered Components of the University
The University is considered a “hybrid entity” under HIPAA, meaning that certain areas of the University are covered and need to comply with HIPAA, while other areas do not. A “hybrid entity” is a single legal entity that provides health care services or products as an ancillary to the operation of its primary business. HIPAA only applies to the health care components of the
hybrid. In general, covered components are those that: a) are considered health care providers or health plans under HIPAA; b) engage in health care transactions; and c) transmit certain health information electronically in connection with “health care transactions” as defined by HIPAA.
Covered components and areas of the University affected by HIPAA may change from time to time as practices change in these areas. Currently, the covered components of the University are: the Athletics Department; the Speech and Hearing Center; and the Employee Benefits and Student Benefits areas.
The University’s Privacy Official is responsible for the development and implementation of the policies and procedures required under HIPAA. The Privacy Official is also responsible for:
Joshua Hurwit is the University’s designated HIPAA Privacy Official. He can be contacted by phone at (718) 990-5699, or by email at [email protected]. Employees who believe that their PHI has been used or disclosed improperly by the University have the right to file a complaint. Complaints can be filed with the University’s Privacy Official or with the U.S. Department of Health and Human Services, Office for Civil Rights.
University employees found to be in violation of HIPAA’s privacy standards may be subject to corrective action, up to and including termination of employment. In addition, the wrongful disclosure of PHI under HIPAA is a criminal offense that can carry penalties for “knowing” violations that include substantial monetary fines and imprisonment.
The following complaint process is available to assist employees who believe their privacy rights under HIPAA have been violated.
The University reserves the right to amend these complaint procedures at any time and in any manner effective immediately with or without prior notice.
St. John's University, New YorkHuman Resources Policy Manual