Hi Mark, The draft revisions to the University of New Mexico’s HIPAA policy (which is a Regents’-level policy) do take a similar approach to the one described in your email. I have pasted the proposed revised version of the policy below.
Best, Pamina DRAFT OF 10-10-2017 – clean copy Regents' Policy Manual - Section 3.8: Institutional HIPAA Compliance Program (formerly part of RPM 3.7) Applicability This policy applies to the “health care components” of the University’s Health Sciences Center (HSC), to other health care components of the University, and to the University’s organized health care arrangement (OHCA). The University is considered a “hybrid covered entity” because it consists of both health care components and non-health care components. The health care components of the hybrid covered entity are identified in Exhibit A to this policy. HIPAA and HITECH It is the policy of the health care components of the University to establish reasonable administrative, technical, and physical safeguards in an effort to protect the privacy of “protected health information” and “electronic protected health information” that the health care components create, obtain, or maintain, as required by the: * Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), * Health Information Technology for Economic and Clinical Health Act, contained in the American Recovery and Reinvestment Act of 2009 (HITECH), and * regulations issued by the Department of Health and Human Services with respect to HIPAA (collectively with HIPAA and HITECH, the “HIPAA Standards”). Self-Insured Health Plans The University and University Hospitals may sponsor self-insured health plans for the benefit of their respective employees and their dependents, including the UNM Self-Insured Health Plan, the Self-Insured Resident Physician Health Plan, and the Self-Insured Student Health Plan (each, a “Self-Insured Benefit Plan,” and, collectively, the “Self-Insured Benefit Plans”). The Self-Insured Benefit Plans shall each be considered a “covered entity” within the meaning of the HIPAA Standards. HIPAA Privacy Officer The University President has delegated to the Chancellor for Health Sciences responsibility for assuring that the University’s health care components identified in Exhibit A comply with the HIPAA Standards. As part of that responsibility, the Chancellor for Health Sciences designates an individual to serve as the HIPAA Privacy Officer for the University’s health care components. The responsibilities of the HIPAA Privacy Officer include assuring that Exhibit A accurately reflects the University’s health care components. The HIPAA Privacy Officer must notify the UNM Policy Office when Exhibit A should be amended. The UNM Policy Office has authority to amend Exhibit A at the request of the HIPAA Privacy Officer. Affiliated Corporations Two affiliated University Research Park and Economic Development Act (URPEDA) corporations that are components of HSC’s clinical arm are separate legal entities and, therefore, their own covered entities within the meaning of the HIPAA Standards. These URPEDA corporations are integral members of the UNM Health System, as defined in RPM 3.4<http://policy.unm.edu/regents-policies/section-3/3-4.html>, and have adopted and implemented their own policies in respect to the HIPAA Standards, consistent with this policy. More specifically, UNM Medical Group, Inc. (UNMMG) and any and all clinics operated and/or managed by UNMMG are a covered entity separate from the University, including, without limitation, UNMMG’s provision of third-party administration, medical management, clinical management, network management, and related services in relation to any of the Self-Insured Benefit Plans. In addition, UNM Sandoval Regional Medical Center, Inc. (SRMC) and any and all clinics operated and/or managed by SRMC are a covered entity separate from the University. At the same time, any self-insured group health benefit plan sponsored by SRMC for the benefit of SRMC employees and their dependents (the “SRMC Self-Insured Benefit Plan”) is also considered a separate covered entity. Organized Health Care Arrangement The HSC, the Self-Insured Benefit Plans, UNMMG, SRMC, the SRMC Self-Insured Benefit Plan, and the health care components listed in Exhibit A shall take the steps necessary to be considered an OHCA within the meaning of the HIPAA Standards when the parties mutually agree and benefit from joint activities. All components of the OHCA will undertake the steps necessary to comply with the HIPAA Standards. References * NMSA 1978, § 21-28-1 et seq. (“University Research Park and Economic Development Act”) * 42 U.S.C. § 1320d, and as amended by the HIPAA Omnibus rule, effective March 26, 2013 (“The Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act of 1996”) * Regulations pursuant to HIPAA: 45 CFR, Parts 160, 162, and 164; American Recovery and Reinvestment Act of 2009; Title XIII; Health Information Technology for Economic and Clinical Health Act * RPM 3.4 (“Health Sciences Center”<http://policy.unm.edu/regents-policies/section-3/3-4.html>) * UNM’s HIPAA Compliance Policy for Certain Health Plans Offered by the University<http://hr.unm.edu/docs/hr/hipaa-compliance-policy-for-certain-health-plans-offered-by-the-university.pdf> EXHIBIT A The University of New Mexico, as a hybrid covered entity under 42 CFR Part 164.504, hereby designates the following operations as health care components for purposes of complying with the HIPAA Standards: * HSC and its academic and clinical arms (as defined in RPM 3.4<http://policy.unm.edu/regents-policies/section-3/3-4.html>, except for UNMMG and SRMC) * Telemedicine, telehealth, and teleradiology programs (including, without limitation, Project ECHO) on all UNM campuses, hospitals, and clinics * Counseling Assistance and Referral Services * Speech and Hearing Sciences * Employee Health Promotion * Any and all Lobo Clinics * Student Health and Counseling, excluding those activities thereof covered by the Family Education Rights and Privacy Act, 20 USC. § 1232g, as amended * Office of the University Counsel when accessing or providing health care operational support services in respect to the HSC, the Self-Insured Benefit Plans, and/or to any of the other health care components identified in this Exhibit A * Safety and Risk Services Department when accessing or providing health care operational support services in respect to the HSC, the Self-Insured Benefit Plans, and/or to any of the other health care components identified in this Exhibit A * Internal Audit Department when accessing or providing health care operational support services in respect to the HSC, the Self-Insured Benefit Plans, and/or to any of the other health care components identified in this Exhibit A * Applicable Human Resources Departments as follows: * of the University, in carrying out and discharging its administration duties in respect to its Self-Insured Benefit Plan * of UNM Hospitals, in carrying out and discharging its administration duties in respect to its Self-Insured Benefit Plan * Information Technologies Department of the University, and the HSC, respectively, when accessing or providing mission support services in respect to the HSC, the Self-Insured Benefit Plans, and/or to any of the other health care components identified in this Exhibit A ___________________________________________ [id:image001.png@01D33926.29C98710] Pamina M. Deutsch University Policy and Administrative Planning Director UNM Policy Office, 114B Scholes Hall MSC05 3357 1 University of New Mexico Albuquerque, NM 87131-0001 Tel. 505.277-2069 Web. http://policy.unm.edu<http://policy.unm.edu/> From: <bounce-122034736-56848...@list.cornell.edu> on behalf of Mark Green <gree...@fiu.edu> Reply-To: Association of College and University Policy Administrators <acup...@list.cornell.edu> Date: Thursday, November 9, 2017 at 6:18 AM To: Association of College and University Policy Administrators <acup...@list.cornell.edu> Subject: [acupa-l] University HIPAA policy? Hello everyone, Here at FIU we are taking on a huge project, we are revising the University HIPAA policy(ies). Ultimately we would like to have an overarching University HIPAA policy(ies) and allow for each covered entity to have their own HIPAA policies and procedures that support the University HIPAA policy(ies). 1. Do you have a similar approach to HIPAA or your campus? Please state why or why not. 2. Please share your University HIPAA policy(ies). Thank you, Mark Green, MBA, CCEP Compliance Manager FIU Office of University Compliance & Integrity 11200 SW 8th Street PC 429 Miami, FL 33199 Phone: 305-348-0002 Fax: 305-348-7657 Email: gree...@fiu.edu<mailto:gree...@fiu.edu> https://compliance.fiu.edu<https://compliance.fiu.edu/> [ttp://www.compliancecertification.org/Portals/2/Images/CCEP/logo-ccep-sm.gif] [cid:image003.png@01D35960.192676C0] Replying to Messages: Replying (using Reply) to an ACUPA-L e-mail will distribute your message to the ENTIRE list of members. To send a message privately, reply directly to the individual who sent the message (their e-mail address appears in the "From" line of their original e-mail). To Unsubscribe or for questions about the ACUPA e-list, Contact Joshua Adams at j<mailto:jamiepar...@cornell.edu?subject=ACUPA%20e-list%20assistance>a...@cornell.edu<mailto:j...@cornell.edu?subject=Question%20About%20the%20ACUPA%20E-list> or 607-255-8279.