Policy 710 - HIPAA Complaint Procedures

Section: Employee Relations
Policy Number: 710
Responsible Office: General Counsel
Effective Date: 4/14/03
Revised: 1/17/06; 8/1/16


Administrators, staff and faculty may use these complaint procedures.

Overview of HIPAA’s Privacy Rules
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law enacted by Congress in 1996. The law originally sought to protect employees who changed jobs against the loss of health insurance, or from being subject to exclusions for pre-existing conditions under their new health insurance. HIPAA’s privacy rules became effective on April 14, 2003. The HIPAA privacy rules provide guidelines for safeguarding the use and disclosure of individually identifiable health information. The University has an obligation to reasonably safeguard this protected health information (“PHI”) from any intentional or unintentional use or disclosure that is in violation of the privacy rules. In general, covered entities, or covered components of hybrid entities may not use or disclose PHI except as authorized by the individual or as explicitly permitted by the privacy rules.

Protected Health Information (“PHI”)
PHI is individually identifiable health information created or received by a covered entity or covered component that relates to the physical or mental health or condition of the individual, or payment for the health care of the individual, regardless of the form in which the information is stored.

Covered Components of the University
The University is considered a “hybrid entity” under HIPAA, meaning that certain areas of the University are covered and need to comply with HIPAA, while other areas do not. A “hybrid entity” is a single legal entity that provides health care services or products as an ancillary to the operation of its primary business. HIPAA only applies to the health care components of the
hybrid. In general, covered components are those that: a) are considered health care providers or health plans under HIPAA; b) engage in health care transactions; and c) transmit certain health information electronically in connection with “health care transactions” as defined by HIPAA.

Covered components and areas of the University affected by HIPAA may change from time to time as practices change in these areas. Currently, the covered components of the University are: the Athletics Department; the Speech and Hearing Center; and the Employee Benefits and Student Benefits areas.

Privacy Official
The University’s Privacy Official is responsible for the development and implementation of the policies and procedures required under HIPAA. The Privacy Official is also responsible for:

  • Ensuring compliance
  • Answering questions
  • Responding to and resolving complaints

Joshua Hurwit is the University’s designated HIPAA Privacy Official. He can be contacted by phone at (718) 990-5699, or by email at [email protected]. Employees who believe that their PHI has been used or disclosed improperly by the University have the right to file a complaint. Complaints can be filed with the University’s Privacy Official or with the U.S. Department of Health and Human Services, Office for Civil Rights.

University employees found to be in violation of HIPAA’s privacy standards may be subject to corrective action, up to and including termination of employment. In addition, the wrongful disclosure of PHI under HIPAA is a criminal offense that can carry penalties for “knowing” violations that include substantial monetary fines and imprisonment.

Complaint Procedure
The following complaint process is available to assist employees who believe their privacy rights under HIPAA have been violated.

  1. Employees may file a complaint with the University’s designated HIPAA Privacy Official in the manner provided above under “Privacy Official.”
  2. All complaints must be submitted in writing.
  3. The Privacy Official has authority to conduct an investigation into the complaint.
  4. Employees shall be protected from retaliation as a result of filing a complaint.
  5. Employees who believe that the University is not complying with HIPAA requirements may also file a health information privacy complaint with the Secretary of the United States Department of Health and Human Services. Complaints must be made in writing and submitted via paper, fax or email to the appropriate regional office of the DHHS Office for Civil Rights.

The University reserves the right to amend these complaint procedures at any time and in any manner effective immediately with or without prior notice.

St. John's University, New York
Human Resources Policy Manual