Privacy Policy Definitions

A Workforce Member who is involved in areas of Drexel University which are subject to HIPAA laws, rules and regulations, including serving as a Business Associate.

An entity or person who performs a function or activity on behalf a covered entity whereby the entity or person creates, receives, maintains or transmits PHI or e-PHI on behalf of a HIPAA covered entity or on behalf of another Business Associate.

Privacy Officer and staff.

Are defined in the HIPAA rules as (1) health plans, (2) healthcare clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

The person designated by Deans, Department Chairs and Faculty Practice Administrators to be responsible for the management of particular data sets of the departments, offices, or Units, and responsible for the creation or collection of the data.

Any electronic computing device, such as a laptop or desk computer, PDA or other devices used to store e-PHI, diskettes, compact discs, DVDs, tapes, and other similar devices.

All computing machinery, networks and communication equipment and networks.

Protected health information that is maintained in or transmitted by Electronic Media.

The Health Insurance Portability and Accountability Act of 1996.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Consistent with the requirements as set forth in 45 C.F.R. §§ 164.103 and 164.105 as related to HIPAA and HITECH, Drexel University is one legal entity, specifically a hybrid entity. A hybrid entity includes both covered and non-covered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components. However, non-health care components of a hybrid entity may be affected because the health care component is limited in how it can share PHI with the non-health care component.

The final rule that implements a number of provisions of HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA.

The regulation promulgated under HIPAA at 45 CFR §§ 160, 162 and 164 entitled Standards for Privacy of Individually Identifiable Health Information, Final Rule and under the Omnibus Rule.

Individually identifiable health information that is transmitted or maintained in any form or medium, including genetic information about a patient.

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Periodic updates or reminders about security-related issues.

The regulation promulgated under HIPAA at 45 CFR §§ 160, 162 and 164 entitled Health Insurance Reform: Security Standards, Final Rule and under the Omnibus Rule.

The designated person responsible for setting up and maintaining hardware and/or software.

An actual or suspected violation of any Drexel University HIPAA Privacy and Security Program Compliance Policy, including any Business Associate policy.

All Drexel University employees, faculty, staff and students.

Electronic computing devices.