The President has assigned the Corporation Counsel to guide the university's compliance efforts related to the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In relevant part, HIPAA requires structured protection of electronic transactions, security and/or privacy of protected health information.

HIPAA covers any health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Protected Health Information (“PHI”) is individually identifiable health information in any form, except if it is in education records covered by the Family Educational Rights and Privacy Act (“FERPA”), as described in 20 U.S.C. §1232g(4)(A) or in 20 U.S.C. §1232g(4)(B)(iv).

“Transaction” is defined as: “the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:

• Health care claims or equivalent encounter information.
• Health care payment and remittance advice.
• Coordination of benefits.
• Health care claim status.
• Enrollment and disenrollment in a health plan.
• Eligibility for a health plan.
• Health plan premium payments.
• Referral certification and authorization.
• First report of injury.
• Health claims attachments.
• Other transactions that the Secretary may prescribe by regulation.

45 CFR § 160.103. The comment period on final rules for the Privacy Regulations is pending.

As a public university, Northern Illinois University is proceeding to develop internal operational standards and practices to comply with HIPAA as a "hybrid entity," as that term is defined in the HIPAA statute. Extensive legal research and conferencing with counterparts at other institutions has led to the development of a series of recommendations, one of which is the Regulations of the Board of Trustees below. Its design and intent is to put the Board itself into a compliance position, while delegating the implementation of privacy responsibilities for the University to the President and designees.

There will be a survey of university activities that could require HIPAA-related standards (for electronic transactions, security, and/or privacy of protected health information) to be applied. That survey will be conducted during the early summer, and a determination made of which units should be designated as a type of "covered unit" within our hybrid entity.

The Corporation Counsel’s Risk Management Advisory Committee sponsored a cyber seminar on campus in conjunction with the National Association of College and University Attorneys earlier this year. 25 members of the university faculty and staff attended that training session on the HIPAA Privacy Regulations. Similar training will be provided as needed in the future. It is foreseeable that external legal counsel specializing in this area of privacy law will be engaged to supplement institutional compliance efforts as needed.

Recommendation:The University recommends Board of Trustees approval of this amendment to the Board of Trustees Regulations.

Board of Trustees Regulation - Section VII

Subsection E. [NEW]

General

This statement of policy relates to administration and protection of certain protected health information coming into possession of individuals and business affiliates performing official functions on behalf of components of the Board of Trustees of Northern Illinois University. This policy statement is intended to facilitate and foster Board of Trustees and institutional compliance with the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Public Law 104-191, including applicable amendments and related implementing regulations of responsible agencies, as may be applicable to a university of the State of Illinois.

University Privacy Officer

The President of Northern Illinois University shall designate an appropriately qualified member of the university staff to serve as University Privacy Officer to assist the President with responsibilities associated with interpreting and administering privacy standards for the University, including those for protected health information.

Delegation of Authority

As necessary and appropriate consistent with applicable law and regulations, the President of Northern Illinois University, or designee, is delegated authority to develop, adopt and arrange publication of appropriate internal procedures to maintain continuing compliance with applicable federal and state standards concerning matters related to privacy of information, including protected health information of students, employees and other individuals.

Concerning protected health information, administration of such procedures will require all university units that maintain or transmit such health information to utilize reasonable and appropriate administrative, technical and physical safeguards:

• To ensure the integrity and confidentiality of the information;
• To protect against any reasonably anticipated
  • threats or hazards to the security or integrity of the information; and
  • unauthorized uses or disclosures of the information; and
• Otherwise to ensure compliance with applicable privacy law standards by the officers and employees of the Board of Trustees.