ºÚÁÏÉçÇø

1.0 Purpose

ºÚÁÏÉçÇø is committed to protecting the privacy and security of health information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This policy outlines the standards for safeguarding Protected Health Information (PHI) and ensuring compliance with HIPAA regulations.

2.0 Scope

This policy applies to all University departments, employees, contractors, volunteers, and students who may have access to PHI as part of their roles or academic activities. PHI is defined as any information related to an individual’s health status, healthcare, or payment for healthcare that can be linked to a specific person.

3.0 Definitions

1. Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained in any form or medium.
2. Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically.
3. Business Associate: Any organization or individual that performs activities involving PHI on behalf of a covered entity.

4.0 Responsibilities

1. Privacy Officer: ºÚÁÏÉçÇø will designate a Privacy Officer responsible for overseeing HIPAA compliance, including training, monitoring, and responding to potential violations.
2. Employees and Students: All personnel must safeguard PHI and report potential breaches to the Privacy Officer promptly.

5.0ÌýUse and Disclosure of PHI

1. PHI may only be used or disclosed for treatment, payment, and healthcare operations, or as otherwise permitted or required by law.
2. Written authorization must be obtained from individuals for uses or disclosures not covered under permissible exceptions.
3. Minimum Necessary Standard: Access to PHI will be limited to the minimum necessary information needed to fulfill job responsibilities.

6.0Ìý³§²¹´Ú±ð²µ³Ü²¹°ù»å²õ

1. Administrative Safeguards: Policies and procedures will be implemented to prevent, detect, and correct potential HIPAA violations.
2. Physical Safeguards: PHI must be stored securely to prevent unauthorized access. Hard copies should be locked when not in use, and electronic systems must have password protection.
3. Technical Safeguards: Electronic PHI will be protected through encryption, secure access protocols, and regular audits.

7.0Ìý°Õ°ù²¹¾±²Ô¾±²Ô²µ

ºÚÁÏÉçÇø will provide mandatory HIPAA training for all employees, contractors, and students who handle PHI. Training will be conducted upon hiring and annually thereafter.

8.0ÌýBreach Notification

1. Reporting: All suspected or confirmed breaches of PHI must be reported immediately to the Privacy Officer.
2. Investigation: The Privacy Officer will investigate reported breaches and take appropriate action, including notifying affected individuals and regulatory authorities as required by law.

9.0ÌýEnforcement and Disciplinary

Violations of this policy may result in disciplinary action, up to and including termination of employment or academic expulsion, in accordance with University policies.

10.0ÌýRetention of Records

PHI and related documentation will be retained for a minimum of six years or as required by applicable laws and University policies.

11.0Ìý´¡³¾±ð²Ô»å³¾±ð²Ô³Ù²õ

ºÚÁÏÉçÇø reserves the right to amend this policy as necessary to comply with changes in laws or regulations or to enhance its privacy and security practices.

Contact Information

For questions or concerns about this policy, contact: Dr. Megan Karbley, Director of Compliance

• US Mail: 2067 Campus Box, Elon, NC 27244,
• E-mail: Ìýmkarbley@elon.edu
• Phone:Ìý (336) 278-5787

Cone Health – Patient Records and Privacy

ºÚÁÏÉçÇø partners with Cone Health to provide Student Health Services and Faculty/Staff Health and Wellness Services. Information about HIPAA polices regarding any services or practicesÌý may be found on the .