Approved: July 15, 2018

Purpose

This policy describes Northern Illinois University’s implementation of information security and privacy practices in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and associated regulations, including the HIPAA Breach Notification, Privacy and Security Rules (HIPAA Rules). In part, HIPAA and the HIPAA Rules establish national standards to protect the privacy and security of Protected Health Information (PHI).

Definitions

• Business Associate is a person or organization (a) that performs for a Covered Entity or Health Care Covered Component, or assists in the performance of, managerial, administrative or consultative-type tasks that help the Covered Entity/Health Care Covered Component carry out its Covered Functions; and (b) that requires access to Protected Health Information (PHI) from a Covered Entity/Health Care Covered Component in order to perform the services that the Business Associate is performing for the Covered Entity/HealthCare Covered Component. Examples of administrative, managerial or consultative type services that a Business Associate might perform for a Covered Entity/Health Care Covered Component to assist in its performance of Covered Functions including claims processing; utilization review; quality assurance; billing benefit management; legal services; accounting; consulting; data aggregation; management; administration; accreditation; or financial services. [45 CFR § 160.103].
• Business Associate Agreement (BAA) means a contractual agreement per which a Business Associate agrees to be bound by all applicable requirements of HIPAA and to handle PHI in accordance with all such requirements. [45 CFR § 164.504(e)].
• Business Associate-like Activities means activities that require access to PHI to perform activities for or on behalf of a Covered Entity or Covered Component to assist the Covered Entity/Component in performing Covered Functions, which activities would make the NIU unit a Business Associate if it were a separate legal entity.
• Covered Entity is a Health Plan; Health Care Clearinghouse; or Health Care Provider who transmits any Health Information in electronic form in connection with a transaction covered under HIPAA regulations. [45 CFR § 160.103].
• Covered Functions are those functions that a Health Care Covered Component or Covered Entity perform that make it a Health Plan, Health Care Provider or Health Care Clearinghouse. [45 CFR § 164.103].
• Health Care means care, services, or supplies related to the health of an Individual. Health Care includes but is not limited to (a) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment or procedure with respect to the physical or mental condition or functional status of an Individual that affects the structure or function of the body; and (b) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. [45 CFR § 160.103].
• Health Care Covered Component (Covered Component) is a unit of a Hybrid Covered Entity that performs Covered Functions, and in the case of a Health Care Provider transmits any Health Information in electronic form in connection with a transaction covered under HIPAA regulations, but only to the extent it performs Covered Functions, or activities that would make it a Business Associate of a component that performs Covered Functions if the two components were separate legal entities. [45 CFR §§ 164.103 & .105(a)(2)(iii)(C)].
• Health Care Provider (Provider) means any person or organization that furnishes, bills or is paid for Health Care in the normal course of business. [45 CFR § 160.103].
• Health Information means any information, including genetic information, whether oral or recorded in any form, that (a) is created or received by a Health Care Provider, Health Plan, Public Health Authority, employer, life insurer, school or university, or Health Care Clearinghouse; and that (b) relates to the past, present or future physical or mental health or condition of an Individual; the provision of Health Care to an Individual; or the past, present or future payment for the provision of Health Care to an Individual. [45 CFR § 160.103].
• Hybrid Covered Entity means a single legal entity (a) that is a Covered Entity; (b) that conducts business activities that include both Covered and Non-Covered Functions; and (c) that designates Health Care Covered Components in accordance with 45 CFR § 164.105(a)(2)(iii)(C). [45 CFR § 164.103].
• Individually Identifiable Health Information means Health Information, including demographic information collected from an Individual that is: (a) created or received by a Health Care Provider, Health Plan, employer, or Health Care Clearinghouse; and (b) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of Health Care to an Individual; or the past, present, or future payment for the provision of health care to an Individual; and (i) that identifies the Individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. [45 CFR § 160.103].
• Protected Health Information (PHI) means Individually Identifiable Health Information that is (a) transmitted by electronic media; (b) maintained in electronic media; or (c) transmitted or maintained in any other form or medium; provided, however, that PHI does not include any Individually Identifiable Health Information in (i) Education Records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, and all implementing regulations, including, but not limited to, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv) of FERPA; and (ii) employment records held by a Covered Entity in its role as an employer. [45 CFR § 160.103].

Scope

With notice to the Board of Trustees, the President of Northern Illinois University has designated Northern Illinois University (NIU) as a Hybrid Covered Entity under 45 CFR § 164.103 because the majority of NIU units do not provide HIPAA-covered functions. As a Hybrid Covered Entity, NIU limits the application of HIPAA requirements only to those units that provide HIPAA-Covered Functions and are thus designated as Health Care Components.

The following units are NIU’s Covered Components:

1. Center for the Study of Family Violence and Sexual Assault
2. College of Health and Human Sciences
3. Community Counseling Training Center
4. Psychological Services Center

The following units or portions of units within Northern Illinois University may perform Business Associate-like activities on behalf of a Covered Component. When they perform these activities, they are considered to be a Covered Component. These units include, but are not limited to:

1. Colleges or units within Colleges that assist a Covered Component in performing Covered Functions
2. Division of Administration and Finance
3. Division of Information Technology
4. Division of Research and Innovation Partnerships
5. Institutional Review Board (IRB)
6. Internal Audit Department
7. Office of General Counsel
8. Office of the Bursar

Some NIU units provide health care treatment without charge or may collect payment for health care treatment without using HIPAA-covered billing. These units are not considered to be a Covered Component under NIU’s Hybrid Covered Entity:

1. Athletics: Sports Medicine Staff
2. Employee Assistance Program
3. Health Services in the Division of Student Affairs

This policy applies to all persons – employees, students, fellows, visiting scholars, professionals, volunteers, agents, or other persons - who work under the direct control of an NIU Health Care Component and who perform the functions, activities or services of a Covered Entity or a Business Associate.

Impact of State Law

The NIU Hybrid Covered Entity is subject to the laws of the State of Illinois. In the event of a conflict between HIPAA requirements and the laws of the State of Illinois, the laws that have the stricter privacy obligations or that confer the most rights upon Individuals will govern.

Designated Officials

To oversee NIU’s compliance program, the President or his/her designee appoints both a HIPAA Privacy Officer and a HIPAA Security Officer, who may be the same person. These Officers report to the President or his/her designee. [45 CFR §§ 164.308(a)(2); 530(a)(1)(i), (2)]

Each Covered Component will appoint a HIPAA Contact Person(s) who will coordinate with the HIPAA Privacy Officer and HIPAA Security Officer concerning the implementation of requirements under HIPAA and HIPAA Rules. These persons and others appointed by the President will form a HIPAA Steering Committee to provide cross-functional governance for HIPAA-related compliance and concerns.

The HIPAA Privacy Officer and the HIPAA Security Officer will:

• Consult with stakeholders to develop, approve and implement policies and procedures required by HIPAA and the HIPAA Rules.
• Monitor Health Care Component compliance with HIPAA and HIPAA Rules.
• Conduct regular reviews to ensure Health Care Components are properly identified and designated in writing.
• Develop and maintain HIPAA training programs, security awareness programs, and related records.
• Establish and maintain administrative, physical and technical security safeguards to prevent, detect, contain, mitigate, and correct security violations of ePHI.
• In consultation with designated HIPAA Contact Persons within the NIU’s Covered Components, receive, investigate, consult, and recommend resolutions of complaints concerning NIU’s compliance with HIPAA and HIPAA Rules.

The Security Officer shall have jurisdiction over all activities subject to the HIPAA Security Rule that are undertaken by or on behalf of the NIU Hybrid Covered Entity or that involve electronic PHI (ePHI) owned by the NIU Hybrid Covered Entity. In the event of a matter involving a possible unauthorized use or disclosure of records or other materials consisting entirely or primarily of ePHI owned by the NIU Hybrid Covered Entity, the Security Officer will have primary responsibility for the investigation and management of the matter.

The Privacy Officer shall have jurisdiction over all activities subject to the HIPAA Privacy Rule that are undertaken by or on behalf of the NIU Hybrid Covered Entity or that involve any records containing PHI owned by the NIU Hybrid Covered Entity. In the event of a matter involving a possible unauthorized use or disclosure of records or other materials consisting entirely or primarily of hardcopy or printed PHI owned by the NIU Hybrid Covered Entity, the Privacy Officer will have primary responsibility for the investigation and management of the matter. 

In matters involving multiple types of PHI owned by multiple parties, the Privacy Officer and Security Officer shall mutually agree as to who will have primary responsibility for management of the matter. The Privacy Officer and Security Officer agree to cooperate with and assist in the investigation and management of any matter arising under these Policies, no matter which Privacy or Security Officer has primary responsibility for the matter.

Training

The NIU Hybrid Covered Entity will provide the members of its workforce with training on HIPAA-related policies promptly after their adoption. Each new member of the workforce shall be trained within in a reasonable period of time after joining the workforce. Additionally, any member of the workforce whose duties are affected by any material change in HIPAA-related policies will receive training regarding such change within a reasonable period of time after the change becomes effective. The NIU Hybrid Covered Entity will keep appropriate documentation regarding such training. [45 CFR § 164.530(b)]

Violations

Violations of HIPAA and HIPAA Rules can lead to criminal and civil penalties for both Northern Illinois University and the individual(s) involved, as well as disciplinary action, up to and including separation of employment.