For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

HIPAA Privacy and Security Compliance Plan

Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program

Policy Title: HIPAA Privacy and Security Compliance Plan
Effective Date: April 14, 2003
Last Revision September 23, 2013; April 20, 2005; 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer

Table of Contents


I. Introduction

This HIPAA Privacy and Security Compliance Plan describes the Drexel University (DU) policies, procedures, and standards of conduct designed to ensure our compliance with the Health Insurance Portability and Accountability Act of 1996 and its associated regulations (HIPAA) and, more specifically, 45 CFR §§ 160, 162 and 164, Standards for Privacy of Individually Identifiable Health Information, Final Rule (The Privacy Rule) and Health Insurance Reform: Security Standards, Final Rule (The Security Rule) the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH”) and the final HIPAA rule that implements a number of provisions of HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA (the “Omnibus Rule”). Failure to abide by the rules, policies and procedures established by this Plan or behavior in violation of the Privacy Rule or Security Rule may result in disciplinary action. Willful failure by any employee of DU to comply with the policies and procedures contained in this Plan, will result in employment dismissal. Consult the Human Resources Policy Manual or contact our Privacy Officer if you have any questions about DU's commitment to effective HIPAA compliance routines. DU expects that all employees, faculty, staff and students (Workforce Members) will comply with its HIPAA Privacy and Security Compliance Plan.

 Back to Top


II. Compliance Mission Statement

DU strives at all times to maintain the highest degree of integrity in its interactions with patients and the delivery of quality health care. DU and its Workforce Members will at all times strive to maintain compliance with all laws, rules, regulations and requirements affecting the practice of medicine and the handling of patient information. The protection of the privacy and security of an individual’s protected health information (PHI) and electronic protected health information (e-PHI) is a priority at DU.

 Back to Top


III. HIPAA Compliance Personnel

A. Privacy and Security Officers

  1. Privacy Officer
     
    DU has appointed the Chief Compliance Officer as our Chief Privacy Officer to oversee the privacy of patient information. While there is a specific job description for the Privacy Officer, generally he/she is charged with the following responsibilities:
    1. oversee and monitor implementation of the Privacy components of the HIPAA Privacy and Security Compliance Program;
    2. prepare and present regular reports to the Board of Directors and DU, as a whole, on DU compliance;
    3. develop and implement a training program focusing on the privacy components of the HIPAA Privacy and Security Compliance Program, and ensure that training materials are appropriate for all DU employees;
    4. ensure that independent contractors who furnish medical services to DU are aware of the privacy requirements of DU's HIPAA Privacy and Security Compliance Program;
    5. coordinate our privacy compliance efforts within DU, and establish methods both to improve DU’s efficiency and quality of services and to reduce DU’s vulnerability to privacy policy abuse;
    6. revise the HIPAA Privacy and Security Compliance Program periodically, in light of changes in the needs of DU or changes in the law of Government and private payer health plans;
    7. develop mechanisms to receive and investigate reports of privacy abuse and monitor subsequent corrective action and/or compliance; and
    8. develop policies and programs that encourage employees to report non-compliance without fear of retaliation.
  2. Security Officer
     
    DU has appointed a Chief Information Security Officer (Security Officer) to oversee the security of DU's information and technology systems. The Security Officer is charged with the following responsibilities:
    1. oversee and monitor the implementation of the Security components of the HIPAA Privacy and Security Compliance Program;
    2. prepare and present regular reports together with the Privacy Officer to the Board of Directors and DU, as a whole, on DU compliance;
    3. develop and implement a training program focusing on the security components of the HIPAA Privacy and Security Compliance Program, and ensure that training materials are appropriate for all DU employees;
    4. ensure that independent contractors who furnish information services to DU are aware of the requirements of DU’s HIPAA Privacy and Security Compliance Program;
    5. coordinate security compliance efforts within DU and establishing methods such as periodic audits, both to improve DU’s efficiency and quality of services and to reduce DU’s vulnerability to security abuse;
    6. revise the HIPAA Privacy and Security Compliance Program periodically, in light of changes in the needs of DU or changes in the law of Government and private payer health plans;
    7. develop mechanisms to receive and investigate reports of non-compliance and monitor subsequent corrective action and/or compliance; and
    8. develop policies and programs that encourage employees to report non-compliance without fear of retaliation.

B. Generally

Every DU Workforce Member is expected both to be familiar with the DU commitment and to cooperate with the Compliance Officers as requested to do so. All are encouraged to comply fully with all reasonable requests made by the Compliance Officers. Failure to comply fully may result in disciplinary action appropriate to the non-compliance, and may also subject the individual to fees and penalties under HIPAA. Please consult your Human Resources Policy Manual.

 Back to Top


IV. Training and Education

DU will conduct periodic training on an ongoing basis with the twin goals that: (1) all employees will receive training on how to perform their jobs in compliance with the standards of DU and any applicable regulations; and (2) each employee will understand that HIPAA compliance is a condition of continued employment.

Further, HIPAA training at a heightened level on the requirements of the Privacy and Security Rules may be necessary for certain DU Workforce Members, depending on their responsibilities. Individuals directly involved in these areas will receive extensive training specific to their responsibilities.

A. Affected Employees

All DU Workforce Members are required to meet the twin goals addressed above. The following Workforce Members are deemed to be subject to a heightened level of scrutiny by virtue of being involved in the areas of DU which are subject to the Privacy Rule and Security Rule ("Affected Employee(s)").

  • Physicians
  • Physician Extenders (i.e., Registered Nurse, Limited DU Nurses, Medical Assistants, Nurse Practitioners, Physician Assistants, and/or anyone responsible for medical record documentation)
  • Technicians, Scribes, or anyone else responsible for documenting the medical record
  • DU Administrators
  • Office Managers/Business Managers
  • Billing/Collections and Accounts Receivable Personnel
  • Front Desk Personnel (Check-in, Check-Out)
  • Authorization Specialists
  • Faculty
  • Medical Students

B. Mandatory Attendance

All Affected Employees are required to attend initial training on the HIPAA Privacy and Security Compliance Program. HIPAA Privacy Office Compliance Personnel (“Compliance Personnel”) shall maintain a list of "approved" compliance education/training programs. Affected Employees will attend HIPAA compliance education/training programs as assigned by access category. To the extent that an Affected Employee begins providing services in the capacity of a Business Associate, such Affected Employee will receive Business Associate training within a reasonable time after beginning to provide Business Associate services for a covered entity.

Attendance at HIPAA face-to-face compliance education/training by faculty shall be documented and maintained by the department and the Privacy Officer.

Master copies of all educational and training materials received by an Affected Employee at approved programs shall be the property of DU and shall be maintained in a designated location for periodic review by DU employees.

 Back to Top


V. Communication and Reporting

A. Dissemination of Materials

All information obtained by the Privacy Officer including manuals, changes in regulations and the like shall be promptly made available to all Affected Employees. Employees who receive information which they believe to be relevant to the HIPAA compliance efforts of the DU, are required to provide such information to the Privacy Officer. Except as otherwise noted, Privacy Office Compliance Personnel shall be responsible for disseminating relevant materials to Affected Employees.

DU employees shall also maintain all relevant materials in a designated location for periodic review.

B. Questions and Concerns

All Employees, as a condition of their employment, are expected to read this HIPAA Privacy and Security Compliance Plan and understand its principles. DU recognizes, however, that HIPAA rules and regulations are complicated and may need further clarification beyond the materials contained in this plan. Therefore, all Workforce Members with questions regarding this Plan or compliance in general are strongly encouraged to seek answers to and/or clarification of any such question or law/regulation/policy from the Privacy Officer. A request for answers to questions or clarification may be submitted in writing to Compliance Personnel: (1) in person, by appointment with HIPAA Compliance Personnel, or (2) confidentially, as described in Section D below.

C. Reporting of Violations or Suspected Violations

Any Workforce Member who is aware of any actual or suspected violation of any DU HIPAA compliance policy ("Violation" or "Violations") is required immediately to report such Violations to Compliance Personnel for investigation. Violations may include: an actual or suspected violation of federal or state legislation, regulations, or requirements pertaining to the security, integrity, or confidentiality of individuality identifiable health information. Following the receipt of such report, the Privacy Officer shall conduct on investigation and to the extent required provide notification in accordance with DU’s Privacy Policies.

D. Confidentiality

It is DU policy that no retaliatory action will be taken against a Workforce Member who makes a report, if that report is made based upon a good faith belief that a Violation has occurred, is occurring, or is likely to occur in the near future, and the employee follows the procedures required herein.

In addition, whenever possible DU will make all reasonable efforts to keep confidential the identity of the reporting Workforce Member. Workforce Members who wish to make an anonymous report of Violations may submit a written report to the Privacy Officer at mail stop 666. The Incident Report Form set forth in Policy IM-09 attached hereto may be used for such purposes.

E. Investigation and Remedial Action

The Privacy Officer shall ascertain the most appropriate means of investigating and responding to such report. Compliance Personnel shall conduct investigations in a timely manner.

Based upon the findings of such investigation, Compliance Personnel, will take such remedial action to ensure (1) that the Violation ceases immediately, and (2) that the Violation will be prevented from occurring in the future. In the event that it is determined that there has been an actual Breach (as defined under HIPAA and set forth in the Privacy Polices), notification will be provided to individuals, the Office of Health and Human Services, and to the extent required, to the media.

All reports of Violations (suspected or deemed actual after investigation), investigative findings, and remedial actions taken shall be documented and maintained by Compliance Personnel.

F. Disciplinary Action

Any Workforce Member who is found to have committed an actual Violation or Violations shall be subject to appropriate disciplinary action. The level of such disciplinary action shall be determined by the Supervisor after consulting with Compliance Personnel, and shall be based upon a number of factors including, but not limited to, the following:

  1. the nature of the Violation or Violations;
  2. the employee's level of intent in committing such Violation or Violations (e.g., negligence, willful); and
  3. special circumstances surrounding or contributing to the Violation or Violations.

The disciplinary action(s) that may be taken against an employee who is found to have committed a Violation are spelled out in the Human Resources Policy Manual and generally include:

  1. admonishment;
  2. written reprimand (which shall be included in the employee's personnel file);
  3. suspension; and
  4. employment termination.

In addition to the disciplinary action(s) set forth above, and on the advice of the Office of General Counsel, DU may turn an employee who has committed a Violation over to the appropriate authority for criminal prosecution, as appropriate or as required by law. In addition to DU disciplinary actions, the Workforce Member may be held directly liable under HIPAA for Violations.

 Back to Top


VI. Auditing and Monitoring

To ensure ongoing HIPAA compliance, Compliance Personnel shall conduct regular auditing of DU functions and operations subject to the Privacy and Security Rules. Those DU functions/operations include, but are not limited to, the following:

  1. protection of patient information; and
  2. security measures for information systems that contain e-PHI.

Audits will include a complete evaluation of DU procedures, a detailed examination of randomly selected transactions, and a report of the findings for Compliance Personnel records.

In addition, Compliance Personnel, in conjunction with the department supervisors, will regularly monitor the performance of all Affected Employees to ensure compliance with all applicable compliance standards and policies.

If, based upon an audit, DU is found to be non-compliant with the Privacy Rule or Security Rule, Compliance Personnel, in conjunction with the Office of General Counsel, as appropriate, shall take prompt remedial action.

 Back to Top


VII. Responding to Inquiries

If any Workforce Member of DU receives an oral or written inquiry regarding DU's compliance with the Privacy Rule, Security Rule, or any private payer requirement, from any source, whether governmental or private, the Workforce Member shall immediately notify the Privacy Officer prior to responding in any way to the inquiry. Compliance Personnel shall:

  1. identify the person or entity making the inquiry;
  2. verify their authority for the inquiry; and
  3. ascertain the nature of the inquiry.

The Privacy Officer shall then immediately notify the Office of General Counsel to assist in responding to the inquiry.

 Back to Top


VIII. Hiring and Employment Termination

A. Hiring

DU policy is to screen from the employment process candidates who have been convicted of any health care related crime or who are listed as debarred, excluded or ineligible to participate in federal or state health care programs.

B. Employment Termination

Upon employment termination, for any reason, employees may be required to schedule and attend an exit interview with their immediate supervisor, DU office manager, and Compliance Personnel. At the exit interview, the employee shall be expected to report any Violation(s) or suspected Violation(s) of any policy pursuant to this HIPAA Privacy and Security Compliance Program.

Responses to exit interview questions will be recorded in writing and maintained in the departing employee's personnel file.

 Back to Top


IX. Policies and Procedures

A. HIPAA Privacy Information Management Policies and Procedures are provided as appendices to this plan and are complete with required forms.

B. HIPAA Security Information System Policies and Procedures are provided as appendices to this plan.

 
 Back to Top