HIPAA Security and Privacy Compliance Policy

Policy Approval Authority President
Responsible Division Ethics and Compliance Office
Responsible Officer(s) Associate Vice President and Chief Information Officer, Associate Vice President and University Privacy Officer
Contact Person Jack Yetter
Primary Audience Faculty
Staff
Status Active
Last Review Date 10-06-2023
Policy Category/Categories Governance / Administration

Purpose

Northern Illinois University has campus units providing Healthcare Services that store and transmit health or billing information and therefore must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). NIU is also subject to the laws of the State of Illinois. In the event of a conflict between HIPAA or HITECH requirements and the laws of the State of Illinois, the laws having stricter privacy obligations or conferring the most rights upon Individuals will govern unless otherwise indicated by statute.

The policy and its sub-parts define NIU’s implementation of technical and physical safeguards to further compliance. Each sub-part is to be considered part of the NIU HIPAA Security and Privacy Compliance Policy, even if it may also contain policies applicable to university concerns outside of the policy. Defined terms are those set forth in the HIPAA Policy Definitions and those Definitions guide all HIPAA policies listed below. Any difference in definition between this document and applicable laws shall be resolved in favor of controlling law.

These policies apply to all persons – employees, students, fellows, visiting scholars, professionals, volunteers, agents or other persons - who work under the direct control of an NIU-covered component and/or those who perform the functions, activities or services of a covered component or business associate.

The following documents are referred to in the policy and are available for review online.

  • NIU Model Business Associate Agreement
  • NIU Model Notice of Privacy Practices
  • NIU Model Authorization for Use and Disclosure
  • NIU Model Acknowledgement or Receipt of Privacy Practices
  • NIU Model Request to Inspect and/or Copy PHI
  • NIU Model Request for Accounting of Disclosures
  • NIU Model Privacy Complaint Form

HIPAA Hybrid Entity Policy

Under regulations of the Board of Trustees, the university is operating as a Hybrid Covered Entity since the majority of NIU units do not provide HIPAA-covered functions. As a Hybrid Covered Entity, NIU limits the application of HIPAA requirements only to those units and activities that provide HIPAA-covered functions and are thus designated as covered components.

NIU shall remain in compliance, where applicable, with 45 CFR Subpart C concerning compliance and enforcement of the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach and Notification Rule, and will adopt policies and procedures for its designated covered components regarding the implementation of safeguards to protect confidentiality, integrity, and disclosures of protected health information (PHI or ePHI for electronic protected health information).

The HIPAA Steering Committee shall periodically review the list of designated activities, departments or functions for accuracy and completeness.

Each covered component within NIU is responsible for enforcing the policies, standards and practices established in these policies and to report to the university privacy or security officer any known or suspected violation of NIU HIPAA policies, or the HIPAA Privacy or Security Rules, generally.

Some units or portions of units within Northern Illinois University may perform business associate-like activities on behalf of a covered component. In the scope of performing these activities, they are a covered component.

HIPAA applies only to health plans, healthcare clearinghouses and health care providers. Some NIU units provide health care without conducting HIPAA-covered electronic transactions (for example, they may charge or may collect payment for health care treatment without using HIPAA-covered billing). These units are not considered to be a covered components under the HIPAA Hybrid Entity Policy:

NIU-designated covered components may disclose information to each other only to the extent necessary under the HIPAA Use and Disclosure Policy.

Designated HIPAA Officials and Liaisons

University Privacy Officer and Security Officer

Oversight of Northern Illinois University’s compliance with the policy is the responsibility of the university privacy officer and the security officer. These individuals shall be appointed by the president or their designee, to whom the officers shall report.

The university privacy officer shall:

  • Chair NIU’s HIPAA Steering Committee
  • Chair NIU’s Breach Assessment Team
  • Under delegated authority from the president, have the authority to sign, execute or revoke business associate Agreements on behalf of the university
  • Consult with the HIPAA Steering Committee and related stakeholders to develop, approve, and implement policies and procedures required by HIPAA Privacy, Security and Breach Notification Rules
  • Oversee development and maintenance of HIPAA training programs, security awareness programs, and related records
  • Conduct regular reviews to ensure covered components are properly identified and designated in these policies and monitor covered component compliance
  • Establish and maintain administrative, physical, and technical security safeguards to prevent, detect, contain, mitigate, and correct security violations of PHI
  • In consultation with designated HIPAA Liaisons within NIU’s covered components, receive, investigate, consult, and recommend resolutions of complaints concerning NIU’s compliance with NIU’s HIPAA Policies and Procedures
  • Have authority over all activities subject to the HIPAA Privacy Rule that are undertaken by or on behalf of the NIU Hybrid Covered Entity or that involve any records containing PHI owned by the NIU Hybrid Covered Entity. In the event of a matter involving a possible unauthorized use or disclosure of records or other materials owned by the NIU Hybrid Covered Entity, the university privacy officer will have primary responsibility for the investigation and management of the matter

The security officer shall

  • Provide expertise in technical security to the HIPAA Steering Committee
  • Consult with the Steering Committee and related stakeholders to develop, approve, and implement policies and procedures required by HIPAA Privacy, Security and Breach Notification Rules
  • Have authority over all activities subject to the HIPAA Security Rule that are undertaken by or on behalf of the NIU Hybrid Covered Entity or that involve ePHI owned by the NIU Hybrid Covered Entity. The security officer shall cooperate with the university privacy officer and assist in the investigation and management of any matter arising under these policies.
  • Oversee the implementation of technical safeguards to prevent, detect, contain, mitigate, and correct security violations of ePHI
  • Participate in the annual audits of covered components as required in NIU’s HIPAA Risk Management and Audit Policy

Both the university privacy officer and security officer shall have the authority to delegate responsibilities but are required to provide active oversight to the delegees.

HIPAA Steering Committee

Each covered component will appoint at least one HIPAA Liaison who will coordinate with the university privacy officer and security officer concerning the drafting of policy and its implementation to meet the HIPAA Privacy, Security and Breach and Notice Rules. These persons and others appointed by the university privacy officer will form a HIPAA Steering Committee to provide cross-functional governance for HIPAA-related compliance and concerns.

The HIPAA Steering Committee will also review the policies set forth yearly to ensure they remain up to date with the law. They shall maintain records of activity, action, and assessments in writing.

The current membership of the HIPAA Steering Committee is:

  • University privacy officer
  • Security officer
  • HIPAA liaison for the College of Education
  • HIPAA liaison for the College of Health and Human Sciences
  • HIPAA liaison for the Internal Review Board
  • HIPAA liaison for Psychological Services
  • Representative of the Office of the General Counsel (advice and counsel role)

HIPAA Breach Assessment Team

Upon report of an event that may constitute a breach of the HIPAA Security Rule or the HIPAA Privacy Rule, the matter will be reviewed by NIU’s Breach Assessment Team. This team will assess the possibility of a Breach and, in accordance with NIU’s HIPAA Security Event Assessment and Breach Response Policy, make recommendations to the Chief Strategy Officer regarding the university’s response, and aid covered components, DoIT, the Steering Committee and other necessary partners to execute the response.

The Membership of the Breach Assessment Team is:

  • Privacy officer
  • Security officer
  • University Ethics Officer
  • Representative of the Office of the General Counsel
  • Director of Risk Management
  • University chief information security officer

HIPAA Record Retention

NIU has a Records Management Policy that sets policy for all university records in compliance with the Illinois State Records Act and State Records Commission Rules. The policy shall govern records retention of HIPAA-related materials, with the specific caveat that all HIPAA-related records must be retained for a period no less than six years.

Individual HIPAA Rights Related to Record Materials

Individuals generally have the following rights related to information about that individual that a covered component maintains in the individual’s medical record, including information about the individual submitted to the Record by other Health Care Providers and Covered Entities.

Right of Access

NIU requires that any Individual’s request to inspect or obtain a copy of PHI be made in writing. Prior to disclosing PHI, NIU shall verify the identity of the person making the request, and the authority of that person to access the information. To do so, NIU may require the requester to provide all documentation or representations required to verify identity and authority, and NIU shall request all documents when the documentation is a condition of the disclosure.

If the PHI requested is maintained on-site or in a similarly accessible manner, NIU will act on the request within thirty days of the date the request is received. If the PHI is maintained off-site or in a similarly inaccessible manner, NIU will respond within sixty days. All requests for access to PHI shall be directed to the HIPAA Liaison of the covered component. If NIU is unable to act on a request within the allotted time, it may extend the deadline by thirty days by providing, in writing, a statement on the reason for the delay to the individual requesting.

NIU will produce or provide access to the individual the PHI in the manner requested, if it is readily reproducible in that format, or, if not, in a readable hard copy. If acceptable to the individual, NIU can provide a summary or explanation of the PHI in writing instead of actual access.

Denial of Right to Access

NIU may deny access to PHI in the following circumstances:

  • A licensed health care professional determined, through the exercise of professional judgment, the access requested is reasonably likely to endanger the life or safety of another,
  • The PHI makes reference to another person (other than a health care provider) and a licensed health care professional has determined, through the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm of such other person; or
  • The request for access is made by the individual's personal representative and a licensed healthcare professional has determined, through the exercise of professional judgment, that the provision of access to the personal representative is reasonably likely to cause substantial harm to the individual or another person.

Any denial shall be in writing and detail the requesters’ right to have the decision reviewed by the university privacy officer.

In such cases the university privacy officer consulted with the HIPAA Steering Committee and a licensed health care professional not involved in the original decision to deny access. If the university privacy officer determines the denial of access is warranted, Individuals will be given access to PHI, to the extent possible, excluding the PHI for which NIU has grounds to deny access.

NIU may deny a request to review or obtain PHI without further review of that denial when the PHI:

  • Was compiled in reasonable anticipation of, or the use in any civil, criminal, or administrative action or proceeding.
  • Was obtained during research and includes treatment of participants while the research is in progress and the individual previously agreed to this temporary suspension of access.
  • Was obtained from a person or entity other than a health care provider under a promise of confidentiality outside the boundaries of HIPAA.
  • Constitutes psychotherapy notes.
  • Is otherwise protected by other State or Federal law (g., certain records under the control of a federal agency or a federal agency’s contractor under an applicable Privacy Act).

Right to Accounting

Individuals have the right to request an accounting of disclosures of PHI made in the six years prior to the date of request. Such accountings shall not be inclusive of disclosures made to carry out Treatment, Payment or Health Care Operations, to the individual themselves or pursuant to their authorization, incident to use or disclosure permitted or required under the HIPAA Privacy Rule, to persons involved in the individual care, related to national security purposes, to correctional or law enforcement or that are part of a de-identified or limited data set.

An individual’s request for an accounting must state a time not longer than six years prior to the date of the request. In response to the request, NIU will provide the requester with a written accounting. The accounting shall document disclosure dates, the person or entity to whom the disclosure was made, and a brief description of the materials disclosed.

NIU shall suspend the right to accounting no longer than renewable thirty-day periods where the Records have been disclosed to an agency tasked with health oversight or a law enforcement agency if the agency or official states in writing the accounting is likely to impede the agency or official’s activities and specifies the period of the suspension.

NIU may charge the requester for the costs of providing any second or more accounting in a twelve-month period. The requester will be notified in advance of the cost involved and may withdraw or modify their request before any costs are incurred.

Right to Request Restrictions

Individuals have the right to request NIU restrict uses or disclosures of their PHI to treatment, payment, or health care operations. Individuals may also make specific requests to limit disclosure to family members, relatives or friends involved with the individual’s health care or payment for the health care, and disclosures to notify certain persons regarding the individual’s general condition, location, or death. With a limited exception identified below, NIU is not required to comply with an individual’s request.

The request must inform NIU of the information to be limited, if the limitation should be on use, disclosure, or both, and to whom the limits apply. Upon receipt of the request, NIU will determine if the restriction should or can be granted. If NIU agrees to the restriction it will be documented in the individual’s Records.

NIU must agree to requests to restrict disclosures to an individual’s Health Plan if the disclosure is for the purpose of carrying out payment or health care operations where the restriction pertains solely to a health care item or service for which NIU has been paid in full.

NIU can terminate restrictions to provide emergency care or treatment if the individual agrees to or requests the termination, or if NIU notifies the individual of the termination and the restricted PHI is not subject to the mandatory restriction related to Health Plans stated above.

Right to a Copy of the Notice of Privacy Practices

Individuals have the right to a copy of the Notice of Privacy Practices, and NIU shall make a copy available on its website.

Right to Complain

Individuals may file a complaint with the university privacy officer and/or the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) regarding any violation of these policies or HIPAA Privacy, Security or Breach Notification rules. Complaints to the OCR must be made within 180 days of the alleged violation.

Right to Amend PHI

An individual has a right to request NIU amend their PHI in NIU’s possession. The requests shall be made to the university privacy officer, who shall document the requests and resolutions of those requests.

NIU may deny the request to amend if the PHI in question was not created by NIU, is not part of the individual’s record set, would not be a record available for inspection under NIU’s policy on right to access or if the PHI is accurate and complete. The university privacy officer shall notify the individual in writing of the denial, which will explain the basis for the denial and how the individual may file a written statement disagreeing with the denial and how the individual may file a complaint with the Department of Health and Human Services. NIU must identify, as appropriate, the information in the individual's record that is the subject of the disputed amendment and append or otherwise link to this information the individual's request for an amendment, NIU's denial of the request, and the individual's statement of disagreement.

Health Care Providers or Health Plans may contact NIU to advise they have made amendments to an individual's PHI in their possession or control. When NIU is informed by a Health Care Provider or Health Plan of an amendment to an individual's PHI, NIU must make necessary amendments to the PHI in its records.

Notice and Acknowledgement of HIPAA Privacy Practices Policy

NIU’s HIPAA Steering Committee shall create and provide a model Notice of Privacy Practices to each covered component in English and Spanish. Accommodations for other accessibility will be made on an as-needed basis.

NIU and its covered components shall provide that Notice, in writing, to each individual about whom PHI will be collected prior to the onset of any treatment or collection of PHI. Individuals shall sign the Notice, and a copy shall be included in their records. In the case of emergency treatment, the Notice shall be provided as soon as is reasonably practicable. When required to do so by the Privacy Rules, NIU shall post the Notice in a clear and prominent location where Individuals will be able to read it. All covered components with websites shall post the notice in a conspicuous place.

If an individual consents to electronic notifications, they may receive the Notice via email. If NIU knows the transmission failed, a paper copy must be provided. NIU shall make the Notice available to any person upon request.

The Notice of Privacy Practices shall contain the following in plain language:

  • An individual’s rights under NIU policy, state law and federal law and regulation
  • A statement of choices Individuals may make about the way in which their PHI is used
  • A statement of uses and disclosures NIU or covered components may make
  • A statement of responsibilities NIU has to Individuals
  • A description of NIU’s Hybrid Entity status, and NIU’s ability to share PHI between entities
  • Information regarding use of information for non-treatment purposes such as research or fundraising
  • Contact information for further information, clarification, requests, and complaints

Should NIU modify the terms of its Privacy Policy affecting Individual Rights, NIU’s legal obligations or other privacy practices, it will post the new notice on the website of the covered component and provide it in writing to the individual prior to their next onsite treatment. It shall contain the effective date of the new notice, and in no case not required by law shall changes to privacy practices be in effect prior to the date of the amended notice.

HIPAA Use and Disclosure Policy

Northern Illinois University shall not use or disclose PHI except as permitted or required by the HIPAA Privacy and Security Rules and in accordance with NIU's Notice of Privacy Practices. NIU shall act consistently with any agreed-upon restrictions, as stated in Individual HIPAA Rights Related to Record Materials. NIU’s compliance will be governed by the minimum necessary standard of the HIPAA Privacy and Security Rules.

NIU covered components, or other workforce members are prohibited from selling or disclosing PHI in return for remuneration (of any type), regardless of who will receive the remuneration.

"Minimum Necessary" Standard

The minimum necessary standard requires NIU to make reasonable efforts to use, disclose or request the minimum amount of PHI reasonably necessary to accomplish a limited intended use, disclosure, or request. NIU states the minimum necessary standard applies to uses and disclosures: for treatment purposes, to the individual who is subject of the information, made pursuant to authorization, made in mandatory or situational fields per the transaction standard, to the Department of Health and Human Services as required for compliance purposes, or otherwise required by law.

Use of PHI will be limited by NIU to persons in NIU who require access to carry out their duties to the covered component, and then only to the categories of PHI required by that person. For any type of routine, recurring disclosure of PHI, such as those to other health care providers, it is NIU's policy to permit only the disclosure of the minimum amount of PHI that is reasonably necessary to achieve the purpose of the disclosure. Any such disclosures must be made in accordance with the Privacy and Security Rules and these policies. NIU may rely, if reasonable under the circumstances, on statements by public officials, other covered entities, or their business associates that they are requesting the minimum PHI necessary to achieve the stated purpose of the request.

Internal Disclosures

Disclosures made within a covered component, or to other covered components designated in NIU’s HIPAA Hybrid Entity Policy, are allowed when the recipient has a need to know consistent with these policies. Workforce members requiring the use of PHI in the course of their jobs and are responsible for maintaining the confidentiality of the PHI.

Permitted Use Policy

Permitted uses and disclosures of PHI include those:

  • Made by an individual in accordance with the standards outlined in NIU’s Individual HIPAA Rights Related to Record Materials Policy.
  • Required to carry out treatment, payment, and health care operations.
  • Pursuant to and in compliance with a valid authorization.
  • Pursuant to verbal agreement from an individual permitting disclosure to a caregiver.
  • Related to "priority" purposes such as those required by law, or for judicial or administrative proceedings.
  • For research purposes when authorized by an appropriate waiver and authorization, or as part of a limited data set or de-identified information.
  • To business associates, as defined by and in accordance with the practice and policy established in NIU’s HIPAA business associate Policy.

"Priority" purposes required by law means, for the purposes of the policy, compliance with federal or state statutes which require disclosure without authorization or prior agreement, e.g., Abused and Neglected Child Reporting Act, Communicable Disease Report Act, and the Firearm Owners Identification Card Act.

Permissive disclosure is allowed in other circumstances, with specific conditions and limitations, including:

  • For public health activity
  • For law enforcement purposes or specialized governmental functions pursuant to legal authority
  • Disclosures regarding victims of abuse, neglect, or domestic violence
  • For Health oversight activity
  • For use and disclosures about decedents to coroners, medical examiners, and funeral directors
  • For organ or tissue donation purposes
  • To avert a serious threat to health or safety
  • Disclosures for Workers’ Compensation purposes

NIU reserves the right to disclose PHI to notify of patient death, or to disclose PHI of a deceased patient to family members of those involved with an individual's care or payment for care prior to death unless inconsistent with expressed preferences of the individual to NIU.

NIU may disclose PHI to a public or non-governmental entity authorized by law to assist in disaster relief efforts for purposes of coordination. NIU will disclose PHI in these situations to the minimal extent required to not interfere with disaster relief efforts.

Incidental use and disclosure by NIU that occur as a byproduct of a use or disclosure permitted by the HIPAA Privacy and Security Rules are explicitly permitted so long as NIU applies reasonable safeguards and implements the minimum necessary standard as applicable.

In certain circumstances NIU may be required to disclose PHI without authorization or agreement of the individual. The HIPAA Privacy and Security Rules require disclosure when an individual requests information about themselves, when the Department of Health and Human Services requests information to determine NIU’s compliance with the rules, and as required by law as discussed further below.

Use and Disclosure Requiring an Authorization

Generally, NIU may not use or disclose, with the exceptions noted elsewhere in these policies, PHI without a valid authorization which complies with the HIPAA Privacy Rule. When a valid authorization is received the use must be limited to the extent of the authority granted.

Disclosure at an individual’s request, including to a Health Care Provider or their own attorney require authorization. Disclosures for marketing and fundraising purposes (delineated in NIU’s Use of PHI in marketing, fundraising and Research Settings Policy) require authorization. Disclosures to Individuals of their own Records is covered in NIU’s Individual HIPAA Rights Related to Record Materials policy.

NIU will make a reasonable effort to ensure authorizations are usable and readable, including organizing materials to meet the needs of readers, use of common language and provision for forms in multiple languages. Authorizations will be retained pursuant to NIU’s HIPAA Record Retention Policy.

The HIPAA Steering Committee will produce a Model Authorization for use by the covered components. NIU Workforce or researchers drafting authorizations shall use the model as their guide. All authorizations shall contain these core elements or sufficient space for the elements to be provided:

  • The name of the individual or entity authorized to make the requested use or disclosure
  • A meaningful description of the information to be used or disclosed
  • The name of the individual or entity to whom NIU will make the disclosure
  • A description of each purpose of the requested use or disclosure; if the individual is initiating the authorization, the purpose may be described as "at the request of the individual"
  • A date or specific event that will mark the expiration of the authorization, such as a specific date, a specific term (eg., "ninety days"), or an event specific to the individual ("throughout my participation in the study")
  • The signature of the authorized requester
  • The date of execution of the authorization
  • If the person signing it not the individual who is the subject of the records, a description of the authorization to act

Authorizations will contain a statement that the individual has the right to revoke the authorization in writing and a description of the process and requirements of such a waiver and a statement that any redisclosure of information provided by NIU by the recipient is no longer covered by the HIPAA Privacy and Security rules.

Authorizations may contain other elements so long as they do not conflict with the required elements and are materially related to the authorization. Authorizations shall not be combined with other documents or be made part of other documents or agreements beyond incorporation by reference.

Authorizations with defects in the core elements or with core element information missing are invalid. Should NIU learn that any element in the authorization provided by the requester is false or fraudulent, the authorization shall be invalid, and the event reviewed by the Breach Assessment Team.

Use and Disclosure of Information Without an Authorization

NIU or a covered component may, without patient authorization, either use PHI as permitted under the HIPAA Privacy Rule to create De-identified Information or disclose PHI to a business associate to create De-identified Information, whether the De-identified Information is to be used by the covered component or disclosed to another entity or individual.

NIU or a covered component may use or disclose a Limited Data Set only for purposes of public health activities, research, or Health Care Operations and only after NIU enters into a data processing agreement with the person or entity sharing or disclosing the Limited Data Set as defined in NIU’s Limited Data Set and De-identified Information Policy.

Disclosure to Governmental Agencies and Personnel

NIU may use and disclose an individual’s PHI without the individual’s written authorization for the following specialized government functions:

  • Military and veterans’ activities
  • National security and intelligence activities
  • Protective services for the President and others
  • Medical suitability determinations

For military and veteran’s activities, NIU may disclose to military authorities the PHI of individuals who are members of the armed forces for purposes that appropriate military command authorities have deemed necessary to ensure proper execution of the military mission, provided the military authority has, prior to seeking the information, (a) published a notice in the Federal Register that sets forth (i) the name of the appropriate military command authorities; and (ii) the purposes for which the PHI may be used or disclosed. NIU may disclose PHI to authorized federal officials as necessary to conduct lawful intelligence, counterintelligence, and other national security activities authorized by the National Security Act (50 U.S.C. § 401, et. seq.) and implementing authority (e.g., Executive Order 12333).

For foreign military personnel, NIU may use or disclose to the appropriate military authority the PHI of individuals who are foreign military personnel for the same purposes for which NIU may use or disclose PHI regarding Armed Forces Personnel as described above.

NIU may disclose an individual’s PHI to authorized federal officials for the provision of protective services to the President of the United States or other persons authorized by 18 U.S.C. § 3056 or to foreign heads of state or other persons authorized by 22 U.S.C. § 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. §§ 871 and 879.

All the above disclosures will be made applying the "minimum necessary" rule. NIU will maintain an accounting of these disclosures, which shall be available to the individual subject to NIU’s Individual HIPAA Rights Related to Record Materials policy.

Requests for disclosure under the policy shall be made to the record keeper.

Disclosure to Law Enforcement

NIU may disclose an individual’s PHI to a correctional institution or a law enforcement official who has lawful custody of an inmate or other individual if the correctional institution or law enforcement official represents that such PHI is necessary for the:

  • Provision of healthcare to the individual
  • Health and safety of such individual or another inmate
  • Health and safety of the officers or employees, of or others at the correctional institution
  • Health and safety of such individual and officers or other persons responsible for the transporting of inmates or their transfer from one institutional facility or setting to another
  • Administration and maintenance of safety, security, and good order of the correctional institution.

The PHI of an individual who has been released on parole, probation, supervised release, or who is otherwise no longer in lawful custody, may not be used or disclosed.

If there is a specific law requiring disclosure of PHI to a law enforcement official, such as reporting certain types of disease, wounds, or injuries, NIU may disclose without an individual’s authorization. If a disclosure of PHI is not required by law as described above, but a law enforcement official has requested the disclosure of the PHI solely for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, then NIU may disclose only the following:

  • Name and address
  • Date and place of birth
  • Social Security number
  • Type of injury
  • ABO blood type and rh factor
  • Date and time of treatment
  • Date and time of death, if applicable; and
  • Description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars and tattoos.

NIU may not disclose for identification or location purposes any PHI related to an individual’s DNA, DNA analysis, dental records or typing, samples or analysis of body fluids or tissue. Any disclosure for these purposes must also be in accordance with the requirements of any applicable state law or court proceeding.

If a disclosure is not required by a particular law, but a law enforcement official has requested disclosure of PHI about an individual who is thought to be a victim of a crime (other than child abuse; or abuse, neglect or domestic violence concerning adults who are not elder persons or disabled adults; or abuse or neglect of an elder person or disabled adult), then NIU may make the requested disclosure if the individual agrees in writing to the disclosure. If NIU is unable to obtain the individual’s agreement because the individual is incapacitated or because of other emergency circumstances, NIU may disclose the PHI if, in the exercise of its professional judgment, it determines that the disclosure is in the best interest of the individual, and the law enforcement official requesting the disclosure represents that:

  • The information is needed to determine whether there has been a violation of law by a person other than the victim, and the information requested is not intended to be used against the victim; and
  • Immediate law enforcement activities that depend upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree.

NIU may initiate a disclosure to a law enforcement official of PHI of an individual who has died if NIU suspects that the individual’s death was the result of criminal conduct, and if the disclosure is necessary for purposes of alerting the law enforcement official to this suspicion. Further, NIU may initiate a disclosure of PHI to a law enforcement official that NIU believes in good faith constitutes evidence of criminal conduct that occurred on NIU’s premises.

If an NIU covered component provides health care in response to a medical emergency, that covered component may initiate disclosure of PHI regarding the medical emergency to law enforcement officials if the disclosure is necessary to alert law enforcement to the:

  • Commission and nature of a crime
  • Location of such crime or of the victim(s) of the crime; and
  • Identity, description and location of the perpetrator of the crime.

Such disclosures may not be made regarding emergency medical care given to an individual who NIU believes requires this care because of abuse, neglect, or domestic violence unless the law mandates such reporting without authorization of the individual.

All the above disclosures will be made applying the "minimum necessary" rule. NIU will maintain an accounting of these disclosures, which shall be available to the individual subject to NIU’s Individual HIPAA Rights Related to Record Materials policy.

Requests for disclosure under the policy shall be made to NIU’s Department of Police and Public Safety, in conjunction with the Office of the General Counsel. NIU’s Department of Police and Public Safety shall verify the identity of any law enforcement official requesting a disclosure under this section, or to whom a disclosure is made pursuant to HIPAA regulations.

Disclosures Related to Subpoenas and Court Orders

NIU may receive subpoenas or other court orders to surrender records, and it is the university policy to comply with either in a manner consistent with state and federal law related to the privacy of the PHI. Requests for disclosure by subpoena or court order shall be directed to the records keeper, who shall enlist the aid of NIU’s Office of the General Counsel.

Court Orders and Subpoenas

If NIU receives a Court order or a subpoena that is signed by a judge, magistrate, or administrative tribunal, and complies with applicable legal requirements, NIU must comply with the court order or subpoena and disclose the information. Failing or refusing to comply could result in being held in contempt of court. When responding to the court order or court-issued subpoena, NIU will disclose only the PHI that is expressly requested, and no more. NIU may ask that the information be held under seal or such other mechanism to minimize distribution.

Orders or Subpoenas not from a Court

A subpoena issued by someone other than a judge, magistrate, or administrative tribunal – e.g., a court clerk or an attorney – is not a court order. If NIU receives a subpoena or discovery request that is signed by someone other than a judge, magistrate, or administrative tribunal, NIU may not disclose information unless and until the following conditions are met:

We obtain satisfactory assurances from the party seeking the PHI that he or she has made reasonable efforts to notify the individual whose PHI is sought by the request.

NIU receives "satisfactory assurances" from a party seeking PHI if it receives from the requesting party a written statement and accompanying documentation demonstrating that the requesting party has made a good faith attempt to provide written notice to the individual (or, if the individual’s location is unknown, to mail a notice to the individual’s last known address) that the PHI is being sought in connection with a legal proceeding. The notice must include sufficient information about the proceedings to permit the patient to raise an objection to the court or administrative tribunal. Additionally, the notice must contain representations that that the time for the patient to object has expired and that either no objections were filed, or that all objections filed have been resolved and that the disclosures sought are consistent with such resolution.

Obtain satisfactory assurances from the party seeking the PHI that he or she has made reasonable efforts to secure a qualified protective order from a court or administrative tribunal.

A qualified protective order is an order of a court or of an administrative tribunal, or a stipulation by the parties to the litigation or administrative proceeding, that (1) prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and (2) requires the return or destruction of the PHI at the conclusion of the litigation or proceeding.

NIU receives "satisfactory assurances" that the requesting party has made reasonable efforts to secure a qualified protective order if NIU receives a written statement and accompanying documentation demonstrating that: (1) the requesting party has sought a qualified protective order from the court or administrative tribunal with jurisdiction over the litigation or proceeding, or (2) the parties to the litigation have agreed to a qualified protective order and have presented it to the court or administrative tribunal.

or

Obtain a signed HIPAA authorization from the individual for the release of the subpoenaed medical records.

The authorization accompanying the subpoena must comply with all state and federal law, regulation, or administrative instruction, as well as with NIU policies.

If the foregoing are not satisfied, NIU will not disclose protected health information pursuant to the subpoena or discovery request.

Federal Grand Jury Subpoenas

Federal grand jury subpoenas are issued in connection with federal criminal investigations. A federal grand jury subpoena may command a witness to appear and give testimony and/or to produce documents or other tangible items to the grand jury. If NIU receives a legally compliant federal grand jury subpoena requesting PHI, NIU must comply with the subpoena and disclose the information sought. Failure to comply with a grand jury subpoena can result in being held in civil contempt or convicted of criminal contempt, or both.

State Grand Jury Subpoenas

State grand jury subpoenas are issued in connection with investigations into violations of state law. Whether NIU may disclose medical records to a state grand jury depends upon the breadth and applicability of the state’s medical privacy and privilege laws. Although HIPAA specifically authorizes NIU to release a patient’s medical records in response to a grand jury subpoena, HIPAA also requires covered entities to comply with "more stringent" state laws that relate to the privacy of individually identifiable health information. Because state privacy laws apply in state proceedings, including state grand jury investigations, they must be analyzed to determine whether they would allow disclosure of the PHI. If a state’s privacy law is more stringent than HIPAA – for example, it precludes the disclosure of information protected by the physician-patient privilege and does not contain any exception for disclosure of such information in response to a grand jury subpoena – then that state law will be applied to prevent disclosure.

Administrative Subpoenas

Administrative subpoenas are issued by federal or state agencies, without judicial oversight, and may compel the production of documents or testimony. A "HIPAA subpoena" is an administrative subpoena issued pursuant to 18 U.S.C. § 3486, which is a provision of the federal criminal code. These subpoenas are authorized whenever the Department of Justice is investigating criminal federal health care offenses, generally fraud offenses related to health care benefits, and may compel the production of documents but not deposition testimony or interrogatory responses. Because administrative subpoenas are issued by federal agencies rather than courts, they must be accompanied by a written statement that:

  • the information demanded is relevant and material to a legitimate law enforcement inquiry
  • the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
  • de-identified information could not reasonably be used.

Civil Investigative Demands

Civil investigative demands (CIDs) are issued by the Department of Justice in connection with civil False Claims Act investigations. Unlike administrative subpoenas, CIDs can demand interrogatory responses and deposition testimony in addition to documents. However, like administrative subpoenas, CIDs are issued without judicial involvement and must therefore contain the same statements related to relevance and materiality, scope, and inadequacy of de-identification. Therefore, if NIU receives a CID, NIU must comply with the request if the issuing entity confirms that (1) the information sought is relevant and material to a legitimate law enforcement inquiry; (2) the request is specific and limited to the extent reasonably necessary for the purpose of the request; and (3) de-identified information could not reasonably be used. When responding, provide only the information expressly demanded by the CID.

HIPAA Training Policy

To ensure NIU’s Workforce receives effective and timely education regarding NIU’s Policies and Procedures, the HIPAA Steering Committee shall maintain training curriculum adequate to inform the Workforce of NIU Covered Entities of their rights and obligations in furtherance of the compliance efforts.

This training shall, at a minimum, consist of mandatory initial training for all Workforce members of covered components. This training shall be required, and failure to complete within thirty days of starting in the covered workforce will result in appropriate corrective action (which may include, but is not limited to, disciplinary action). The HIPAA Steering Committee shall ensure that the HIPAA Liaisons for each covered component will have the ability to track the completion of the training. covered components shall track completion of training for their Workforce members.

Additionally, when material changes are made to the Privacy Rules, Privacy Policies or Security Policies related to NIU’s HIPAA compliance, the Steering Committee will ensure all members of the Workforce whose functions are affected by the change will receive training on the new policies and/or procedures in prescribed time.

Additional training may be developed and implemented for specific employees involved in specialized compliance issues as determined by the Steering Committee.

NIU HIPAA Liaisons, the university privacy officer, or security officer may direct and require specific employees to attend additional privacy or security training if they believe it is warranted. At the discretion of the HIPAA Steering Committee, refresher training may be developed and required for the Workforce of some or all covered components.

The training will require Workforce members to review NIU’s HIPAA-related policies and procedures that effect their position and will focus on federal and state laws and regulations governing privacy and security, confidentiality, and the definitions of PHI.

HIPAA Business Associate Policy

From time to time, Northern Illinois University may contract with an individual or entity to provide services to NIU or act on NIU’s behalf, or for NIU to provide services to a third party. If these relationships involve the sharing of PHI the parties may be in a business associate relationship for HIPAA purposes.

The policy serves to formalize business associate relationships and protect information disclosed to business associates. All agreements with business associates must be in writing and contain certain mandatory provisions designed to protect the privacy and security of an individual’s PHI. At no time will NIU Covered Entity Workforce disclose PHI to a business associate without an executed business associate Agreement. business associates may only use the PHI they receive in accordance with law and in direct relation to the furtherance of their contractual obligations.

covered components, with the assistance of the university privacy officer, will identify business associates as defined in the policy. A non-comprehensive list of examples of such functions and activities is:

  • claims processing or administration
  • data analysis, processing, or administration
  • utilization review
  • quality assurance
  • billing
  • benefit management
  • practice management, or
  • Providing of legal, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to NIU involving the disclosure of Individually Identifiable Health Information:

Treatment providers receiving information from NIU for the purpose of providing treatment to an individual shall not be considered business associates.

The covered component HIPAA Liaison will review each proposed agreement to determine if a business associate agreement is required. The university privacy officer will assist as required. NIU has a preferred form business associate Agreement which the HIPAA Liaison of any covered component may use with potential business associates of their covered component. Modifications to this business associate Agreement beyond definition of parties will be reviewed by the university privacy officer.

NIU requires the written business associate agreement establish the permitted and required uses of PHI by the business associate and provide that the business associate will:

  • Not use or disclose PHI other than as permitted or as required by law, and then disclose only the minimum PHI necessary to perform or fulfill a specific function in an agreement with NIU or NIU covered component.
  • Use appropriate safeguards to prevent use or disclosure of the PHI other than as provided by the agreement with NIU and use administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI.
  • Report to NIU any access, use, or disclosure of the information not provided for by its contract and any security incident of which it becomes aware; and following the discovery of any breach of unsecured PHI, notify NIU in writing of such breach without unreasonable delay and in no case later than sixty calendar days.
  • Mitigate any harmful effect that is known to business associate of a use or disclosure of PHI in violation of the agreement.
  • Ensure any legally permitted agent/subcontractor agrees in writing to the same restrictions and conditions which apply to the business associate.
  • Provide access to PHI to NIU or to the individual who is the subject of the PHI and will make any amendments to PHI at the direction or request of NIU or the individual.
  • Document disclosures of PHI as required for NIU to respond to an individual request for an accounting of disclosures.
  • Make books, records, internal practices, policies and procedures available to DHHS.
  • Use or disclose PHI for the purpose of fulfilling reporting under NIU contracts with clients for that purpose, but only in aggregate, as such use or disclosure would not violate HIPAA or 42 C.F.R. Part 2 or the minimum necessary policies and procedures of the NIU covered component.
  • Return, destroy, or maintain privacy and security of any PHI at the end or termination of any contract with NIU or an NIU covered component.
  • Use PHI to report violations of law as permitted by HIPAA and 42 C.F.R. Part 2.
  • Make available to NIU any information necessary for NIU to comply with an individual’s right to access to PHI; and if business associate maintains an electronic health record, provide such information in electronic format to enable NIU to fulfill its obligations under HIPAA and/or the HITECH Act.

All agreements shall state a date or event on which the agreement shall end.

NIU will notify business associate of any changes in or revocation of authorization by an individual to use or disclose PHI. Upon material breach by business associate, NIU or an NIU covered component may terminate any contract or agreement immediately. business associate acknowledges it is fully bound by HIPAA and 42 C.F.R. Part 2. In the event of inconsistencies between HIPAA and 42 C.F.R. Part 2, the more restrictive rule will control. Parties will comply with all applicable federal, state, and local laws pertaining to client confidentiality including, but not limited to, state mental health and developmental disability confidentiality law, state and federal drug and alcohol confidentiality laws and state AIDS/HIV confidentiality laws.

NIU covered components shall notify the university privacy officer when issuing or receiving a notice of contract termination involving a business associate, who will coordinate with the business associate regarding the business associate’s obligations to return or destroy all PHI or, if return or destruction is not feasible, to extend the protections of the business associate requirements to the PHI and to limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible. The contract and contract addendum must be retained for six years after the contract was last in effect.

Use of PHI in Marketing, Fundraising and Research Settings

PHI Use in Marketing

Northern Illinois University shall obtain authorization prior to use or disclosure of PHI for Marketing Purposes, except if the communication is face-to-face made by a covered component or Workforce member to an individual or for the purpose of extending a promotional gift of nominal value (e.g., pens, paper, etc.). If a third-party compensates NIU or the covered component, directly or indirectly, any authorization for use must expressly state such remuneration is involved.

PHI Use in Fundraising

With limited exceptions NIU or an NIU covered component must receive authorization prior to the use of an individual’s PHI for fundraising activities. If NIU or one of the Covered Entities wishes to use personally identifiable information in fundraising, the Notice of Privacy Practices must contain a specific statement of what information will be used or disclosed and provide the individual the ability to opt out of such fundraising communications.

Use of such PHI will be limited to fundraising for the covered component only, and no other University functions or actions. In no case will sensitive PHI be shared for fundraising purposes. This PHI shall not be intermingled with other Fundraising activities.

If a third party is used for fundraising purposes, and is given access to this PHI, that third party must execute a business associate Agreement. With any communication, electronic or otherwise, NIU must price a clear and obvious description of how the individual can opt out of further Fundraising communications. The method may not be unduly burdensome. NIU shall use its best efforts to implement opt-out elections.

PHI Use in Research

PHI may be used or disclosed for research purposes under the following conditions:

  • As specifically authorized, in writing, by the individual in a manner consistent with NIU’s Notice and Acknowledgement of HIPAA Privacy Practices.
  • Pursuant to a waiver of such authorization by the Institutional Review Board or other approved formal privacy board using the following criteria:
    1. The use of PHI presents no more than a minimal risk to the privacy of the subject based on, at least, the presence of an adequate plan to protect identifiers from improper utilization; an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and adequate written assurance that the PHI won’t be reused or disclosed to any other person or entity except as required by law, for authorized oversight of the research project or for other research for which the use of PHI would be permitted by the Privacy Rule;
    2. The research could not practicably be conducted without the waiver; and
    3. The research could not practicably be conducted without access to and use of the PHI.
  • Limited Data Set and Data Use Agreement.
  • De-identified data.
  • Activities Preparatory to Research, provided that the researcher has made a written representation to the covered component that:
    1. Use is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research.
    2. No PHI is to be removed from the covered component by the researcher during the review.
    3. The PHI for which access is sought is necessary for research purposes.
    4. The IRB will review all proposed screenings of records for recruitment of research participants as part of the protocol approval process unless the research is exempt from the regulations protecting human subjects.
  • Research on decedents, provided that the researcher represents in writing to the covered component that the use is solely for research that involves the PHI of decedents, and the PHI is necessary for the research. The covered component may request documentation of the death of the individuals about whom PHI is being sought.

NIU and its covered components shall not condition a patient’s treatment on providing an authorization, except for clinical trials or other research-related treatments.

HIPAA Complaints

Individuals may lodge a formal complaint about Northern Illinois University’s information privacy practices, policies and procedures including the privacy and security, use and disclosure, access to or amendment of PHI. Additionally, complaints may be made regarding NIU’s marketing practices, and the practices of NIU business associates. Complaints may be anonymous.

Complaints may be made to any NIU contact person or covered component HIPAA Liaison. All complaints shall be forwarded to the university privacy officer. Individuals may also make complaints directly to the university privacy officer at privacy@niu.edu. Individuals may also lodge complaints with the Department of Health and Human Services Office of Civil Rights.

The university privacy officer will investigate complaints to determine their validity. If a complaint is found not to contain a valid complaint about NIU’s HIPAA Policies or the HIPAA Rules they will respond to the complaint, if possible, explaining that decision. Complaints deemed valid will be investigated pursuant to the policy.

Complaints about the policies, practice, and security will be reviewed by the HIPAA Steering Committee to determine if changes in University policy, security or practice are needed. Complaints alleging a security event or potential breach shall for forwarded to the Breach Assessment Team and investigated in a manner consistent with NIU’s HIPAA Security Event Assessment and Breach Response Policy.

If the complaint is regarding a business associate of NIU, the university privacy officer, with the aid of the covered component (s) with a relation to the business associate, shall investigate. The investigation should determine if PHI was impermissibly used or disclosed by the business associate, and if the use and disclosure were serious and repeated. The university privacy officer shall have the authority to determine if NIU should terminate contracts and agreements for material breach.

The university privacy officer must maintain documentation of any privacy complaint and NIU's review and disposition of the matter, including a record of any changes to Policies and Procedures or the imposition of sanctions against members of its workforce, if any. NIU must retain all documents relating to the complaint and the investigation for a period of at least six years after the date of their creation.

Limited Data Sets and De-identified HIPAA Data

Limited Data Sets

Northern Illinois University or one of its covered components may use or disclose a Limited Data Set only for public health activities, research, or Health Care Operations. Such use shall require a Data Processing Agreement (DPA) with the person or entity sharing or using the data that meets the following standards:

  • Establish the permitted uses and disclosures by the recipient of information contained in the Limited Data Set.
  • Instruct the recipient not to disclose information other than is expressly permitted.
  • Define who is permitted to use or receive the limited data set.
  • Define appropriate minimum safeguards (technical, physical and access) to prevent the use of information other than as allowed in the DPA.
  • Require the recipient to notify the university privacy officer of any use or disclosure of the information other than as allowed by the DPA of which the recipient becomes aware.
  • Ensure any further sharing of the information is with a party which is bound by the same restrictions and conditions of the DPA.
  • Require the recipient to neither identify the information nor contact the individual.

Limited data sets may be created by removing Identifying Information as defined in these policies.

Any Workforce member who becomes aware of a pattern or practice indicating the Limited Data Set may be subject to a breach must report this in the same manner as described in NIU’s Reporting Event and Breach Policy.

De-identified Data

NIU or a covered component may de-identify data in one of two ways - the Safe Harbor Method or the Expert Determination Method. The Safe Harbor Method is the approved method unless a request for exception is made to the university Privacy and security officers and approved in writing.

Under the Safe Harbor Method, Identifying Information, as defined in NIU’s HIPAA Policy Definitions of the individual or of relatives, employers, or household members of the individual must be removed.

To comply with the Expert Determination Method, a covered component may use an expert with "appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable" to determine that there is a "very small" risk that the information, alone or in combination with other reasonably available information, could be used by the researcher to identify the individual who is the subject of the information. The person certifying statistical de-identification must document the methods used as well as the result of the analysis that justifies the determination. This certification is a Record to be kept by the covered component in accordance with NIU’s Records Management Policy.

NIU or a covered component may assign a code or other means of record identification to allow De-identified Information to be re-identified, provided that the code or other means of record identification is not derived from or related to information about the patient and is not otherwise capable of being translated to identify the patient and the code is not disclosed.

HIPAA Violations and Sanctions

It is Northern Illinois University’s Policy to monitor compliance with HIPAA policies, permit individuals to report complaints and issues and to impose sanctions, as applicable, for violations of NIU’s HIPAA Compliance policies and procedures. Reporting and investigations are done in accordance with NIU’s HIPAA Reporting Event and Breach Policy and NIU’s HIPAA Security Event Assessment and Breach Response Policy.

At the conclusion of the investigation and with approval of the university chief strategy officer if a violation of NIU policy or practice is found to have occurred, and an employee’s actions caused, failed to mitigate, or made worse the security event, such employe will be referred by the Breach Assessment Team for corrective action in a manner commensurate with the act or failure to act to the appropriate oversight person or department. Violations can be classified into three categories depending on the intent – those made due to lack of knowledge, education or by accident; those made with disregard for known NIU policy; and intentional acts. It is NIU’s policy to recommend corrective action commensurate with the severity, frequency, and intent of violations, and progressive discipline can be considered for repeated offenses.

Intentional, unauthorized use, dissemination, exposure, access, revieing, revealing or destruction of PHI, or violations done with malicious intent or for personal gain will be referred to the proper authorities for potential criminal prosecution.

HIPAA Risk Management and Auditing

Each covered component shall implement a risk management program sufficient to reduce information system risks and potential vulnerabilities to a reasonable level. The program shall be geared to ensuring the confidentiality, integrity, and availability of its PHI. All workforce members must aid and cooperate in the execution of the risk management program.

Each covered component will coordinate with the university privacy officer and security officer, to conduct information security risk assessments annually. The assessment will work to protect the confidentiality, integrity, and availability of PHI. Specifically, the assessment will detail, in writing:

  • An inventory of internal systems that are used to collect, store, process or transmit PHI.
  • An inventory of third-party systems used to collect, store, process or transmit PHI, and a review of the business associate Agreement with those third parties.
  • Identify potential threats or events that potentially impact PHI security or business operations or those systems where added integrity solutions are required and identify updated controls to mitigate those threats.
  • Assess the impact of a security incident, breach or disruption and the continuation and mitigation plans in place for each.
  • Identify practice and procedure issues and what, if any, threats those pose to the physical and technical safeguards to PHI and identify updated controls to mitigate potential threats.
  • covered components will include information in this audit that documents any changes or updates to their data backup plan, disaster recovery plan, and emergency-mode operation plan, and include any internal training or testing of these plans and operations and an updated list of those designated to lead those plans.
  • Identify workforce changes of position or departures from the previous year and the compliance with the Access Control Policy and system privileges for those persons and their accounts.
  • Assess training completion of staff members and determine if additional training is recommended.
  • Address any open items from previous years’ assessments.

Any material changes in systems, environment or emerging vulnerabilities will be accompanied by a review of those individual events in a timely manner.

covered components and the Division of Information Technology (DoIT) will implement system-level logging for systems containing ePHI. Those logs must be stored in a separate log management system or logging event file. Where the system allows, logs should contain the user ID, IP address, login and logout dates and times. These files will be retained until they are no longer needed or until Illinois record retention requirements mandate, whichever is longer.

HIPAA Network, System and Data Security

Northern Illinois University and its covered components shall reasonably safeguard PHI:

  • From any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of the Privacy and Security Rules and NIU’s Policies and Procedures.
  • In a manner to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure in accordance with the Privacy and Security Rules and NIU's Policies and Procedures.

NIU and NIU covered components shall take reasonable precautions to safeguard and protect the confidentiality, integrity, and availability of PHI.

NIU has established policies and procedures that are incorporated by reference in the HIPAA compliance policies. These policies are:

  • Access Control Policy
  • Identity Protection Policy
  • Information Security Policy
  • System Access and Security Policy
  • Bring Your Own Device Policy
  • Office Privacy Policy
  • Acceptable Use Policy
  • Clean Desk Standards for NIU Private and Restricted Data Policy
  • Use of Email Policy

NIU uses the most current National Institute of Standards and Technology Cybersecurity Framework as a guide to establishing and enforcing data security across campus. NIU and covered component networks include any network administered by those parties, as well as any network to which their workstations, data storage devices, or servers have direct access to or the capability to directly access. Access points to other networks from NIU or covered component networks define the perimeter of the network. With respect to HIPAA NIU covered components will meet the following HIPAA standards of use and security:

  • The transmission of ePHI from a covered component or workforce member to an authorized external entity via a messaging or data transfer system is permitted if the sender has ensured that the following ePHI transmission security conditions are met or exceeded:
    • Workforce members must use a NIU-administered secure data transfer system to transmit ePHI to authorized External Entities; however, if the external entity requires use of its own data transfer system, the Workforce member must be able to verify the system meets or exceeds the minimum standard specified by the security officer prior to using the external entity’s system.
    • All contracts and data sharing agreements required by law and the policy have been executed in accordance with NIU’s HIPAA policies.
  • If transmitting PHI over public or open networks, reasonable precautions such as data encryption will be taken to ensure confidentiality and integrity of the data. Specifically:
    • The identities of the sender and the recipient must be authenticated. If the transmission is uni-directional from the sender to the recipient, then the identity of the recipient must be authenticated.
    • The recipient must agree to participate in the data transmission.
    • The data transmission must be encrypted. Either the data transmission channel must be encrypted, or the data must be encrypted prior to transmission according to the requirements set forth by the security officer.
    • The sender and receiver must be aware of the risks involved respectively in sending and receiving ePHI.
    • Assuming all Privacy and Security prerequisites in this section for transmitting ePHI by email are met and the covered component otherwise allows email transmission of ePHI, then any Workforce member sending email containing ePHI must include a standard ePHI warning as approved by the university privacy officer and security officer.
    • Questions regarding encryption or transmission of ePHI over Non-Secure Networks should be directed to the security officer.
  • All ePHI transmissions over Non-Secure Networks must be digitally signed to ensure that modification without detection does not occur.
  • Each member of a covered component ’s Workforce will be provided unique user identification for accessing workstations, servers, portable devices (laptops, tablets, etc.) and other information assets. Workforce members will be prohibited from sharing usernames and passwords and instructed not to write them down or record them in an unencrypted way.
  • NIU will enforce a strong password policy and require multi-factor authentication to any system or application, requiring privileged access to access or modify ePHI.
  • covered components will keep an inventory of all applications, system, and data repositories housing PHI.
  • Access to PHI will be limited only to authorized users.
  • covered components must have policies and procedures for determining access requirements for Workforce members. Workforce member’s supervisors should approve changes to access privileges (either increasing or decreasing access to information) in a timely manner and control that access (or notify DoIT or the security officer, as appropriate). The policies and procedures should comport to the Least Necessary Rule in the policy.
  • Decisions granting access must be documented in writing.
  • Per NIU’s HIPAA Risk Management and Audit Policy, an annual assessment of privileges must be made. NIU and covered components should be able to:
    • List systems and applications to be logged.
    • List information to be logged for each system or application.
    • Determine specifications for log reports for each system or application.
    • Be able to review all audit logs and activity reports.
  • A policy and practice for terminating access to any system, application or data repository must be in place for each covered component.
  • Devices used to access, process or store ePHI must be configured to standards set by the Security Official.
  • Workforce members shall not use their personal computers, or any other devices not administered and secured by NIU or covered component staff to manipulate or store ePHI.
  • covered components must encrypt all laptops and portable data storage devices used to access, process or store ePHI or that has the potential to access, process or store ePHI. Data encryption specifications must meet or exceed the minimum standard specified by the security officer. If encryption of a device is not possible, with the approval of the security officer, a procedure must be implemented to track the individual storage devices and/or media containing the ePHI, their location, and the parties in physical possession of and responsible for the devices and/or media.
  • Encryption of ePHI on non-portable devices as an access control mechanism is not required unless the custodian of the ePHI deems it a necessary control.
  • ePHI shall not be stored on portable Electronic Media.
  • covered components must document and implement procedures for the secure removal of ePHI from storage media before making the storage media available for reuse. If ePHI contained on the storage media cannot be rendered unrecoverable, the storage media must be destroyed.
  • To protect confidentiality, integrity, and access to ePHI systems must have appropriate security software installed and enabled that protects the computer from malicious software.
  • Computers accessing ePHI must be configured to automatically lock or disconnect the user session after a period of inactivity as specified by the security officer.
  • For systems containing ePHI, the method of implementation of an access control list and the ultimate access control list should be documented (g., Microsoft Windows operating systems firewalls, or Linux iptables). Access control lists should be configured for each active network service, defining the allowed or denied protocol, port, and network connections as narrowly as possible.
  • NIU or its covered components will implement intrusion detection capabilities in any information system they administer to facilitate regular appraisal of the effectiveness of network perimeter and host network access controls and the forensic investigation of potential or actual intrusion activity. Detected intrusion activity must be logged, and the logs must be reviewed regularly.
  • All systems allowing remote login or desktop access must be configured to meet standards established by the security officer.
  • covered components will implement network perimeter security and corresponding network access controls, such as the use of network firewalls, routers, or Virtual Local Area Networks (VLANs). Configuration of the firewalls, routers, VLANs, or other network access controls used to protect the network environment must be documented and available to the security officer.

Physical Safeguards for HIPAA Materials

Northern Illinois University and its covered components will take reasonable precautions to protect paper records that contain PHI from inadvertent disclosure. The following NIU policies are incorporated by reference into the HIPAA policies of NIU:

  • Access Control Policy
  • Office Privacy Policy
  • Clean Desk Standards for NIU Private and Restricted Data Policy

The following are minimum standards for covered component workforce members:

  • Files and documents should be stored in secure areas or in reasonably protective containers such as locked cabinets, drawers, or files.
  • Files and documents to be discarded should be placed in designated containers for shredding.
  • Printers and fax machines should be sited to minimize exposure of PHI to unauthorized persons. Files and documents should be promptly removed from them and should not be left exposed in unsecured areas.
  • covered components must create and implement procedures to ensure PHI access is limited only to authorized users to the minimum extent needed to fulfill their duties.
  • Managers and Supervisors at covered components will work with Facilities Management and Campus Services, in the Division of Administration and Finance, to ensure compliance with the Access Policy, limiting access to secured areas to those required to fulfill their job duties.

HIPAA Contingency Operations

Each covered component at NIU will be responsible for the creation and implementation of each of the following, either individually, in tandem or in conjunction with the security officer, University privacy officer and DoIT:

  • A data backup plan
  • A disaster recovery plan (DRP)
  • An emergency-mode operational plan (EMOP)

Data backup plans must enable covered components to retrieve an exact copy of all PHI from a designated time. Individuals involved in the plan must be trained in the execution of the data backup recovery, and refresher training should be done periodically as the security officer and appropriate HIPAA Liaison see fit. Each data backup plan will detail backups to be performed, identify the media used and its location, security considerations and procedure for recovering the backup data. The plan will be documented and made available to the security officer.

Each covered component shall create a disaster recovery plan ("DRP") that will meet its business continuity plan requirements. covered components that use third-party business associates for information services or technical support to operations will ensure that disaster recovery planning is adhered to by the business associate. The DRP must be accessible to its leaders offsite, and all individuals involved in the DRP should be trained accordingly with appropriate updates and refreshers as deemed appropriate by the security officer or appropriate HIPAA Liaison.

To the extent possible an Emergency-Mode Operations Plan ("EMOP") should enable continuation of NIU business processes and protect the security of PHI while operating in that mode. The documentation of the plan should be made available to key workforce members and training done to ensure compliance.

Testing of these plans should include testing for any specific application in support of the plans.

Electronic Health Information Blocking Policy

HIPAA’s prohibition against blocking Electronic Protected Health Information seeks to promote integration and interoperability between health systems and improve Individual access to medical information. Except as required by law or one of the following exceptions in the policy, NIU and its covered components shall not engage in practices likely to interfere with lawful access, exchange, and use of ePHI.

NIU may engage in such practices by not fulfilling requests to access, exchange or use ePHI in the following circumstances.

  • To prevent harm to the individual, the covered component or other people or entities in specific conditions may interfere with the access, use, or exchange of ePHI.
  • A covered component can engage in practices which interfere with the use, access, or exchange of ePHI where sharing such information would reduce, eliminate, or impinge on the privacy of the records.
  • NIU and its covered components can engage in blocking practices where such practices protect the security of the ePHI.
  • A covered component may engage a practice of not fulfilling requests to access, exchange or use ePHI due to the infeasibility of the request.
  • covered components may engage in practices blocking use, access, or exchange of ePHI where doing so limits interference with information technology performance.
  • A practice by NIU or one of its covered components which limits the content of a response to a request to use, access or exchange ePHI that satisfies the requirements of the law.
  • Charging fees for the access, use or exchange of ePHI will not be considered information blocking if in accord with the law and NIU’s HIPAA Use and Disclosure Policy.
  • NIU or its covered components may block access, use or exchange of ePHI through a licensing requirement that comports to the elements established by law.

Reporting HIPAA Events and Breach Policy

Reporting Suspected Privacy Events

Any member of Northern Illinois University workforce, or a workforce member of an NIU covered component, who learns of any situation or event in which a potential breach of PHI confidentiality may have occurred must immediately notify their supervisor and/or the university privacy officer by emailing privacy@niu.edu. If the potential breach relates to electronic information, the university privacy officer must also notify NIU’s security officer. Workforce members should report any suspected breach of unsecured PHI to the university privacy officer as soon as possible, but in no case later than forty-eight (48) hours after learning of the incident.

The event report should include the following information to the greatest extent possible, but the reporting workforce member should not wait to investigate these issues before reporting.

  • A brief description of what happened, including the nature of the potential breach and the date the suspected breach was discovered.
  • The name of the individual or identification of the entity to whom PHI was disclosed without permission or authorization and, if known, the person or entity who used the information without permission or authorization.
  • A description of the type of and amount of unsecured PHI in the breach.
  • What manner of security was in place for the PHI in question (encryption, locked access, etc.).
  • What, if any, steps were taken to mitigate an impermissible use or disclosure of PHI.
  • Whether the information had been provided to or by NIU under a business associate Agreement.

Failure to report a potential breach subjects workforce members to potential sanctions and/or corrective action per NIU’s HIPAA Violation and Sanctions Policy.

Security Incident Reporting

When a member of NIU or covered component Workforce has a reasonable belief an activity may present a threat to, or has affected, the confidentiality, integrity, or availability of ePHI, they must immediately report the situation to the security officer. In addition, the loss, theft or unauthorized disposal or destruction of any covered component ’s workstation, server, portable computing device (including laptops, tablets, and smartphones), or storage media or devices (including thumb drives) must be immediately reported to the security officer.

No Retaliation

NIU maintains an open-door policy regarding compliance with HIPAA. Workforce members, subcontractors, interns, and volunteers are encouraged to speak with the university Privacy/security officer or other appropriate individual regarding any concerns they may have with NIU’s HIPAA compliance program or initiatives designed to maintain and enhance privacy and security controls. Neither NIU, its covered components, nor anyone affiliated with either may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for exercising any right established by, or for participating in any process provided for by, these policies or the law, including:

  • Filing a complaint with NIU.
  • Filing a complaint with governmental authorities.
  • Assisting or participating in an investigation or compliance review by NIU or its agents.
  • Testifying in a proceeding or hearing by governmental authorities under HIPAA.
  • Opposing any act or practice made unlawful by HIPAA, provided the individual has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve an impermissible disclosure of PHI.

Any individual who believes that a form of retaliation or intimidation is occurring or has occurred should report the incident to NIU’s Ethics and Compliance Office, the university privacy officer, or the security officer. NIU will treat such a report as a complaint and investigate it accordingly pursuant to University investigation policy.

HIPAA Security Event Assessment and Breach Response Policy

Security Event Assessment

Upon receiving a report of a potential security event, the university privacy officer will disseminate the information to Northern Illinois University’s Breach Assessment Team, who will investigate and report its findings and recommendations to the university’s Chief Strategy Officer.

The Breach Assessment Team will promptly investigate the privacy and/or security incident to determine if there has been a breach of PHI. A breach is presumed to have occurred if there is an unauthorized access, acquisition, use, or disclosure of unsecured protected health information, unless NIU can demonstrate a low probability that the information was compromised. In making the determination the Breach Assessment Team will consider the following:

  • Whether the unauthorized or impermissible acquisition, access, use, or disclosure involved PHI.
  • Whether NIU can demonstrate, based on the following factors, a low probability that the PHI has been compromised:
    • The nature and extent of the information involved.
    • The unauthorized person who used or received the information.
    • Whether the information was actually acquired or viewed.
    • The extent to which the risk to the information has been mitigated.

The Breach Assessment Team’s report and recommendation to NIU’s chief strategy officer will include factual findings, a recommendation for actions to be taken pursuant to NIU’s HIPAA Violations and Sanction Policy, suggested mitigations, recommended corrections to the practices that led to the breach, and any reporting duty they believe should be undertaken.

NIU must document the investigation and conclusions, including all facts relevant to the risk assessment. Documentation of findings and final actions from the investigation should be maintained as a part of NIU’s record retention guidelines. Any disciplinary action report documenting a policy violation should be placed in the employee’s personnel file.

The university privacy officer, security officer and/or the Breach Assessment Team may take interim action to mitigate any security issue as soon as is practicable without approval of NIU’s Chief Strategy Officer. While the mitigation plan will be tailored to the specific circumstances of any security event, the mitigation plan should consider the following:

  • Identifying source(s) of unauthorized use or disclosure and taking appropriate corrective action.
  • With respect to unauthorized uses of PHI by a member of NIU’s workforce, following the outlines of NIU’s HIPAA Violation and Sanction Policy.
  • With respect to unauthorized disclosures of PHI, contacting the recipient of the information contained in the unauthorized disclosure and requesting return or destruction of the information or take other appropriate action to mitigate further use or disclosure.
  • Depending on circumstances, notifying the patient whose Protected Health Information was the subject of unauthorized use or disclosure if an immediate use is suspected.
  • Depending on the circumstances, notifying the appropriate state and/or federal agency if required.

Under HIPAA and these policies, the following do not constitute an actionable breach:

  • An unintentional acquisition, access, or use of PHI by a workforce member or other person acting under the authority of NIU or an NIU business associate, if the acquisition, access, or use was made in good faith and within the scope of the workforce member’s authority and does not result in further use or disclosure in a manner not permitted by the Privacy Rule.
  • An inadvertent disclosure by a person who is authorized to access PHI at NIU or at a NIU business associate to another person authorized to access PHI at NIU or a NIU business associate, or organized healthcare arrangement in which NIU participates, and information received because of such a disclosure is not further used or disclosed in a manner not permitted by the Privacy Rule.
  • Disclosure of PHI where NIU or a NIU business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.

Reporting Requirements

If NIU determines that a breach of unsecured PHI has occurred, NIU shall notify the affected individual(s), HHS, and the media (if required) in accordance with the policy and the requirements of HIPAA’s breach notification rules. Any notice provided pursuant to the policy must be approved and directed by the university privacy officer. No other personnel may, absent express authorization of the privacy officer, provide the notice required by the policy.

Notice to Individuals

When a breach of PHI has occurred, NIU shall notify the affected individual(s) without unreasonable delay and in no case later than 60 days after the breach is discovered. The notice must be in writing and in plain language. It must contain the following to the greatest extent possible:

  • A brief description of the incident including the date of the breach and the date it was discovered.
  • A description of the types of information involved (e.g., whether the breach involved names, social security numbers, birthdates, addresses, diagnoses, etc.).
  • Any steps the affected individual(s) should take to protect him or herself from potential harm resulting from the breach.
  • A brief description of what NIU is doing to investigate, mitigate, and protect against further harm or breaches.
  • Contact information for NIU’s privacy officer (or NIU’s business associate, as applicable).

The contact will be sent by first-class U.S. mail to the individual’s last known address. It may also be sent via email if the individual has agreed to accept notifications and communications via electronic means. In urgent situations, where NIU knows of an imminent misuse of an individuals PHI, NIU may give notification via telephone or other means in addition to the required written notice. If NIU has out-of-date or insufficient contact information that precludes written notification to the individual, NIU shall provide substitute notice in a form reasonably calculated to reach the individual.

Where there is insufficient contact information and the breach effects ten Individuals or fewer, NIU may provide notice by an alternative form of written notice, by telephone or other means. If the breach involves ten or more Individuals, substitute notice shall take the form of a conspicuous notice posted for a period of ninety days on the website of the covered component or in major print or broadcast media in an area where affected Individuals likely reside, containing contact information for Individuals to reach NIU to determine if their information was included in the breach.

In the event or a breach involving a deceased Individual, NIU shall notify the next of kin or personal representative via first class mail if that information is reasonably available to the university.

Notice to HHS

If NIU determines that a breach of PHI has occurred, it shall also notify the Department of Health and Human Services. For breaches involving fewer the five hundred affected Individuals NIU may notify the Department of Health and Human Services immediately, or the university privacy officer may maintain documentation of the breach and report it not later than sixty days after the end of that calendar year. For a breach affecting more than five hundred Individuals, NIU shall notify DHHS contemporaneously with the notice to the individuals. All reporting to HHS shall be done in the manner prescribed on the HHS website.

Notice to Media

For a breach of PHI involving more than five hundred residents of a particular state or geographic region, NIU shall, following the discovery of the breach, notify prominent media outlets serving the state or region. The notification must be made without unreasonable delay and in no case later than sixty calendar days after discovery of a breach. The notification must contain the information required for individual notices as described above.

HIPAA Policy Definitions

Administrative Safeguards

Administrative actions, policies and procedures designed to manage selection, development, implementation, and maintenance of security measures to protect Protected Health Information, and the conduct of the covered component’s Workforce members in relation to the protection of that information.

Availability

Information accessible and usable by an authorized person in any format.

Breach

Any instance in which the Breach Assessment Team determines a Security Event requires a response involving mitigation, notification or any other action dictated by the Event Response Policy.

Business Associate

Any person or entity, on behalf of NIU but not as part of the workforce of one of NIU’s covered components, who performs, or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information as defined in the HIPAA business associate Policy and regulated by the requirements of 45 CFR, Subtitle A, Subchapter C of the HIPAA Administrative Simplification Requirements.

Business Associate Agreement

A contract between a covered component or the Covered Entity and a business associate governing the uses and disclosures of PHI, as detailed in the HIPAA business associate Policy.

Confidentiality

The property or state of being of data or information that it is not made available or disclosed to unauthorized persons or processes.

Covered Component

A component or combination of components of NIU, designated by NIU as component(s) that meet the definition of Covered Entity if such component(s) were separate legal entities. Except as otherwise required by law, Privacy Rules, Privacy Policies and Security Rules apply only to the designated covered components of NIU and not to any other departments, components, activities and/or functions.

Covered Entity

A health plan, health care clearinghouse, or a health care provider who transmits health information in connection with any transaction for which standards are promulgated by the Health Insurance Portability and Accountability Act of 1996. NIU has designated itself a Hybrid Entity and any reference to Covered Entity or Hybrid Entity in these policies is interchangeable. NIU’s covered components designated in the HIPAA Hybrid Entity Policy are "covered components" for purposes of Privacy Policies, Privacy Rules, and Security Rules.

De-identified Information

Information that does not identify an individual, and about which there is no reasonable basis to believe it can be used to identify an individual.

Department of Information Technology ("DoiT")

NIU’s Department of Information Technology oversees and manages administrative and academic computing, identity management and security, telecommunications, and the NIU network for some but not all covered components.

Designated Record Set or Record

A Health Care Provider’s medical and billing Records; a Health Plan’s enrollment, Payment, claims adjudication and case or medical management Records systems; and any information used, in whole or in part, by or for the covered entity or Health Care covered component to make decisions about Individuals.

Disclosure

Any manner of release, transfer, provision of access to, or divulging of PHI by a Workforce member within a covered component to a person or entity outside the covered component.

Electronic Media

Devices on which data may be recorded electronically, including but not limited to hard drives and removable/transportable digital memory medium (e.g., optical disk or digital memory card) or Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions where the information was not digital prior to transmission, such as facsimile are not considered to be transmissions via electronic media.

Electronic Protected Health Information ("ePHI")

The subset of Protected Health Information that is transmitted by Electronic Media or maintained in any medium constituting Electronic Media.

Facility Security

A plan that manages physical security for NIU physical plant housing covered components or DoIT.

Family Member

A dependent or relative within four degrees as defined in 26 U.S.C. 3401(d).

Health Care

Care, services, or supplies related to the health of an individual. Health Care includes but is not limited to (a) preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (b) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Health Care Operations

NIU will operate using the most current and complete definition of Health Care Operations contained in 45 CFR Part 164.

Generally, for purposes of these policies, NIU Health Care Operations do not include research and many marketing and fundraising activities or conducting quality assessment and improvement activities, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.

Health Care Operations includes:

  • Reviewing competence, qualifications, or performance of health care professionals, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non- health care professionals, accreditation, certification, licensing, or credentialing activities.
  • Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.
  • Business management and general administrative activities including, but not limited to:
    • Business management and development of Health Care Operations.
    • Management activities relating to implementation of and compliance with the requirements of HIPAA.
    • Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
    • Resolution of internal grievances.
    • Sale, transfer, merger, or consolidation of all or part of NIU with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.
    • Creating de-identified health information or a limited data set, and fundraising for the benefit of NIU, as carried on or permitted by the HIPAA Privacy Rules.

Health Care Provider ("Provider")

Any individual or organization that furnishes, bills or is paid for Health Care in their normal course of business.

Health Information:

Information, including genetic information, in any form or medium, that is created or received by a Health Care Provider, Health Plan, public health authority, employer, life insurer, school or university, or Health Care Clearinghouse, including NIU covered component's and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

HIPAA Liaison

An individual appointed by the head of any covered component with the following responsibilities with respect to that covered component : Work with the covered component head, to identify members of their Workforce who engage in activities that involve use of Protected Health Information and assure they are trained; cooperate with the Privacy and security officer(s) in the development of policies and procedures and other compliance activities; and serve as point of contact for questions, Security Events, audits and problem resolution regarding the covered component's compliance with HIPAA.

Hybrid Entity

A single legal entity that is a Covered Entity for purposes of the Privacy Policy because it conducts certain activities which are subject to the Privacy and Security Rules and certain activities which are not, which designates covered components as required by the Privacy and Security Rules. NIU has designated itself a Hybrid Entity and any reference to Covered Entity or Hybrid Entity in these policies is interchangeable.

Identifiers or Identifying Information

HIPAA considers the following to be identifying information in PHI:
  • Names
  • Geographic subdivisions smaller than a State, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code, if according to the current publicly available data from the Bureau of the Census:
    • The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
    • The initial three digits of a ZIP code for all such geographic units
      • The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
    • The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Phone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code (note this does not mean unique code assigned by the investigator to code the data

In Writing

In writing refers to written documents and communications in paper and electronic form including, but not limited to, letters, notices, memoranda, and email.

Individual

The person who is the subject of Protected Health Information.

Marketing

Marketing is the making of "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." Marketing does not include a communication made:
  • To communicate about a drug or biologic that is currently being prescribed for a patient, including refill reminders. Any remuneration a covered component receives for making such communication must bear a reasonable relation to the actual cost of making the communication; or,
  • For the following Treatment and Health Care Operations purposes where the covered component does not receive any remuneration in exchange for making the communication:
    • For patient Treatment by the covered component /Provider, including case management or care coordination for the patient, direction or recommendations of alternative treatments, therapies, health care providers, or settings of care to the patient, or the contacting of patients with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of Treatment.
    • To describe a health-related product or service (or payment for such product or service) that is provided by the covered component , including communications about the entities participating in a Health Care Provider network or Health Plan network, replacement of, or enhancements to, a Health Plan, and health-related products or services available only to a Health Plan enrollee that add value to, but are not part of, a plan of benefits.

Payment

Activities undertaken by NIU to obtain reimbursement for the provision of health care. These activities relate to an individual to whom health care is provided and include, but are not limited to:
  • Determinations of eligibility or coverage, including coordination of benefits or the determination of cost sharing amounts, and adjudication or subrogation of health benefit claims.
  • Risk adjusting amounts due based on enrollee health status and demographic characteristics.
  • Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing.
  • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges and utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services.
  • Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:
    • Name and address
    • Date of birth
    • Social Security Number
    • Payment history
    • Account number
    • Name and address of the health care provider and/or health plan

Personal Representative

A person with authority to act on behalf of another individual, including a deceased individual, in making decisions related to health care and/or health care information.

Physical Safeguards

Physical measures, policies, and procedures (e.g., locks and identification cards) that protect NIU’s electronic information systems, buildings, and equipment, from natural and environmental hazards and from unauthorized intrusion.

Privacy Policies or Policy

Northern Illinois University’s HIPAA Security and Privacy Compliance Policy, in sum or in part.

Privacy Rule(s)

Those standards, implementation specifications, rules and/or other requirements promulgated by the United States Department of Health and Human Services for the protection of Individually Identifiable Health Information, as set forth at 45 CFR, Parts 160 and 164.

Protected Health Information ("PHI")

A subset of Individually Identifiable Health Information that is transmitted or maintained in any form or medium.

PHI does not include:

  • Information about any individual who has been deceased fifty years or more.
  • Individually Identifiable Health Information in education records under FERPA or employment records held by a covered component as an employer.
  • Psychotherapy notes recorded in any medium by a Health Care Provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of a patient’s medical records, excluding medication prescription and monitoring, counseling session start and stop times, modalities and frequency of treatments furnished, results of any clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Public Health Activities

NIU defines Public Health Activities as any activity currently listed in law or any regulatory structure for that purpose.

Security Event

Any reported event or potential breach of Confidentiality of an individual’s Records subject to the Reporting, Security Event Assessment and Breach Response Policy.

Security Event Assessment

An assessment to determine whether PHI has been compromised by a Security Event pursuant to the Event Response Policy. These assessments are managed by the Breach Assessment Team.

Security Rules

Standards, implementation specifications, rules and/or other requirements promulgated by the United States Department of Health and Human Services for the protection of Individually Identifiable Health Information, as set forth at 45 CFR Parts 160, 162 and 164.

Technical Safeguards

The technology, policy, and procedures for the use of ePHI that protect and control access to it.

Unsecured Protected Health Information

PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons using a technology or methodology specified by the U.S. Department of Health and Human Services. PHI is deemed "secured" only if it is encrypted or destroyed in accordance with the guidance referenced by Health and Human Services and published by the National Institute of Standards and Testing.

Use

The employment, application, examination, or analysis of Individually Identifiable Health Information by an individual within the covered component or the sharing of PHI with an individual within the covered component.

Workforce

Including volunteers and "healthcare provider," means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered component, is under the direct control of the covered component, whether or not they are paid by the covered component.

Comments

There are no comments to show.

Contact Us

Policy Library
815-753-5560
policy-library@niu.edu 

Back to top