2.13.4 Subject: UNIVERSITY HIPAA COMPLIANCE POLICY
Adopted: March 10, 2003
Amended: September 9, 2008
Amended: September 29, 2009
Preamble
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the regulations issued by the Department of Health and Human Services under the Administrative Simplification subtitle of HIPAA (the “Regulations”) establish a regulatory scheme to protect the confidentiality of personal health care information. The Regulations permit an institution like the University of New Mexico (the “University”) that includes health care components and non-health care components to designate itself a “hybrid covered entity.” As a hybrid covered entity, the University can limit the application of HIPAA and the Regulations to its designated health care components. In addition, the University also sponsors a self-insured group health benefit plan for the benefit of its employees and their dependents and certain other self-insured medical, dental, prescription drug, and vision health benefit plans (collectively, the “UNM Medical Plan”). The UNM Medical Plan, as a self-insured group health benefit plan, shall be considered an “organized health care arrangement” within the meaning of HIPAA and the Regulations. As a an organized health care arrangement and covered entity within the University, the UNM Medical Plan is considered a “health care component” within the meaning of HIPAA and the Regulations. The purpose of this policy is to (a) designate the health care components of the University that will serve as the “hybrid covered entity” under HIPAA, (b) designate the health care components of the University and the UNM Medical Plan as an “organized health care arrangement,” within the meaning of HIPAA and the Regulations, and (c) delegate the administrative authority to assure that the University complies with HIPAA and the Regulations.
The other purpose of this policy is to delegate the administrative authority to assure that the University complies with HIPAA and the Regulations.
Applicability
This policy applies to the components of the University designated as health care components of the University, and to the officers of the University charged with taking action to assure compliance with HIPAA and the Regulations.
Policy
The University shall be deemed a “hybrid covered entity” within the meaning of the Regulations. Certain components of the University, as set forth in Exhibit A to this policy, will be designated “health care components” of the University. The health care components will be required to comply with HIPAA and the Regulations. The health care components of the University shall be considered an “organized health care arrangement.” All components of this organized health care arrangement will be required to comply with HIPAA and the Regulations.
Implementation
The President of the University shall delegate responsibility to assure compliance with HIPAA and the Regulations to the appropriate officers of the University. In furtherance of the University’s compliance effort, health care components of the University will be required to prepare budgets, as necessary, for implementation and compliance with HIPAA and the Regulations, and shall approve necessary expenditures of funds and resources to assure compliance. The President, or his designee, may revise Exhibit A, as appropriate, by adding or deleting health care components. Provision will be made to certify the training of University personnel in the health care components about compliance with HIPAA and the Regulations. The President is also authorized to take any additional actions necessary to assure compliance of the University with HIPAA and the Regulations including the promulgation of any administrative policy(ies) necessary to carry out this Policy.
Pursuant to the Lease between the Regents and the Board of County Commissioners of Bernalillo County, as described in Regents’ Policy 2.13 (the “Lease”), the Regents have delegated to the University of New Mexico Hospitals Board of Trustees (the “UNMH BOT”) the authority to review, monitor, and act upon issues involving compliance by the UNMH Facilities and the employees thereof with applicable federal and state health care regulatory requirements including, without limitation, compliance with HIPAA and the Regulations, subject to review and ratification by the Regents.
The Regents, through the UNMH BOT in respect of HIPAA compliance matters involving the UNMH Facilities and the employees thereof and the Regents’ Health Sciences Committee in respect of all other areas involving HIPAA compliance at the HSC, will exercise oversight of the University’s HIPAA compliance program in respect of the health care components of the University over which they respectively exercise jurisdiction under and pursuant to Regents’ Policy 2.13 by receiving and evaluating periodic reports provided to the Committee and/or the UNMH BOT by the HSC Compliance Director and/or Privacy Officer, and by providing policy guidance to the Executive Vice President of Health Sciences and other HSC officials with respect to development and implementation of the HIPAA compliance program in respect of the health care components of the University over which they respectively exercise jurisdiction under and pursuant to Regents’ Policy 2.13.
Appointment of Privacy Officer
The President shall cause a Privacy Officer to be appointed for the University, as required by the Regulations, and any additional staff necessary for timely implementation and compliance with HIPAA and the Regulations.
References
The Administrative Simplification Provisions of the Health Insurance Portability & Accountability Act of 1996 (HIPAA), codified at 42 U.S.C. § 1320d. Regulations pursuant to HIPAA codified at 45 C.F.R., Parts 160, 162, and 164; American Recovery and Reinvestment Act of 2009 (ARRA), Title XIII, Health Information Technology for Economic and Clinical Health Act (HITECH Act).
EXHIBIT A
THE UNIVERSITY OF NEW MEXICO
Health Care Components Designated
As a Hybrid Entity Pursuant to Regulations
Promulgated Pursuant to the Health Insurance Portability & Accountability
Act of 1996, As Amended
The University of New Mexico ("UNM"), as a hybrid covered entity under 42 C.F.R. Part 164.504 hereby designates the following operations as health care components for purposes of complying with the Health Insurance Portability and Accountability Act of 1996:
1. The Health Sciences Center and the UNMH Facilities (as defined in Regents’ Policy 2.13), excluding the Tumor Registry and the Office of the State Medical Investigator for the State of New Mexico in fulfilling its statutory duties as coroner
2. Telemedicine telehealth and/or teleradiology programs on all UNM campuses
3. Counseling Assistance & Referral Services
4. Center for Family & Adolescent Research
5. Center for Exercise
6. Psychology Clinic
7. Speech and Hearing Sciences
8. Employee Health Promotion Program
9. Any and all Lobo Clinics
10. Student Health Center, excluding those activities thereof covered by the Family
Education Rights and Privacy Act, 20 U.S.C. § 1232g, as amended11. Office of the University Counsel
12. Safety and Risk Services Department
13. Internal Audit Department
14. UNM Medical Plan
Comments should be sent to BRPM@UNM.edu
Go to:
Table of Contents
Table of Contents - Section 2
Regents' Policy Manual Homepage
![[UNM Home ]](http://www.unm.edu/graphics/unmhomebutton.gif){kind=small}
The University of New Mexico
Albuquerque, New Mexico