Ohio Administrative Code
Title 3342 - Kent State University
Chapter 3342-6 - Administrative Policy on Awards and Compensation for University Employees
Section 3342-6-21.4 - Administrative policy for privacy for protected health information
Universal Citation: OH Admin Code 3342-6-21.4
Current through all regulations passed and filed through September 16, 2024
(A) Definitions.
(1)
"HIPAA." "HIPAA" is the "Health Insurance Portability
and Accountability Act of 1996" and the "Administrative Simplification"
regulations found in title 45 of the Code of Federal
Regulations.
(2)
Protected health information. Protected health
information is individually identifiable health information as defined and
protected under "HIPAA."
(B) Designation of privacy official.
(1)
The President shall designate a privacy official who
shall coordinate the university's compliance with "HIPAA, " including, but not
limited to, gathering information sought by a requestor, providing for the
inspection of such information by the requestor, furnishing copies to the
requestor and receiving complaints.
(a)
In order for the university to comply fully with
"HIPAA, " the university privacy official shall have full authority to gather
such information as is necessary to comply with the request.
(b)
The university
privacy official shall have the authority to an individual or individuals to
assist with "HIPAA" compliance obligations.
(2)
All university
employees shall cooperate fully with the university privacy official in "HIPAA"
compliance efforts, including but not limited to, providing the records
requested, allowing for proper inspection and copying of the records, and
conducting inspections and audits as necessary to conform with the requirements
of the law.
(3)
The university privacy official shall designate those
academic and administrative health care units covered by "HIPAA" as part of the
covered health care component of the university. The university privacy
official shall maintain a list of all units covered by "HIPAA" and of all other
units included within the covered health care component of the university,
which serve as business associates within the university covered health care
component for "HIPAA" purposes.
(4)
The university
privacy official shall have the authority to review all privacy,
confidentiality and security standards and procedures created by academic and
administrative departments that are part of the covered health care component
of the university and to direct changes to such standards and procedures as
necessary.
(C) Unit requirements.
(1)
Academic and
administrative departments determined by the university privacy official to be
part of the covered health care component of the university shall:
(a)
Develop "HIPAA
Policies and Procedures" that are unit specific standards and procedures to
protect the privacy, confidentiality, and security of protected health
information that comply with "HIPAA" and with this rule, which may be amended
from time to time.
(b)
Train all unit employees who have access to records
protected by "HIPAA" on the "HIPAA: requirements, the university policies and
procedures for release, privacy and security of selected health information,
and the unit standard and procedures for privacy, confidentiality, and security
of records protected by HIPAA." Such training must be conducted as the
university privacy official deems necessary and within a reasonable period of
time after a new individual joins one of the covered health care
components.
(c)
Distribute a notice of privacy practices as necessary
under "HIPAA." The notice of privacy practices must contain all "HIPAA"
required elements and be approved by the university privacy official prior to
being distributed.
(d)
Document compliance efforts as required by
"HIPAA."
(e)
Comply with all federal, state, and local laws and
regulations related to the privacy, confidentiality, and security of medical
information.
(D) Business associates. Units within the covered health care component of the university may share protected health information with third parties, referred to as business associates, who provide the units within the covered component with services that use or involve health information. These units shall only share such information with business associates pursuant to a business associate approved by the office of university counsel.
(E) University employees. University employees in "HIPAA" covered components shall:
(1)
Limit uses and
disclosures of all health information to the minimum necessary to complete the
assigned task.
(2)
Upon discovery, report all incidents of misuse of
improper disclosure of protected health information to the university privacy
official.
(F) Retaliation. The university shall not tolerate nor engage in retaliation against any employee who reports an incident of misuse or improper disclosure of protected health information to the university privacy official or to the secretary of the department of health and human services.
(G) Discipline.
(1)
Any employees who uses or discloses protected health
information contrary to this policy shall be subject to discipline under the
applicable disciplinary policies or collective bargaining
agreement.
(2)
Covered components shall document any sanctions imposed
for violations of this rule of the Administrative Code, or unit standards and
procedures, as required by "HIPAA."
Replaces: 3342-6- 21.4
Disclaimer: These regulations may not be the most recent version. Ohio may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
