Sec. 1 Purpose
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Standards govern the confidentiality of individuals' health information maintained in the health care system. An entity covered by the HIPAA Privacy Standards generally must comply with the following obligations: (i) Use or Disclose health information only as permitted by the HIPAA Privacy Standards; (ii) limit requests, Uses, and Disclosures of health information to the minimum necessary; (iii) give individuals a notice of the entity's privacy practices; (iv) provide certain rights to individuals with respect to their health information; and (v) establish certain administrative procedures to ensure health information is kept confidential, such as the designation of a privacy official and the establishment of sanctions against workforce members who breach an individual's privacy rights.
The University of Texas System Administration (System Administration) is a Hybrid Entity that is required to comply with HIPAA. System Administration has compiled policies and forms (the Manual) that constitute official policies of System Administration, which have been adopted as this HOP 4.1.4. The Manual is maintained on the website of the Office of Employee Benefits, which is the office within System Administration that houses its Covered Entity, at http://www.utsystem.edu/offices/employee-benefits/hipaa-and-privacy.
Sec. 2 Description of the System Administration HIPAA Policy Manual
The Manual is adopted to describe how System Administration treats Protected Health Information (PHI) by System. The policies and procedures are intended to comply with 45 C.F.R. §§ 164.530(i) and (j)(1)(i), which require System Administration, as a HIPAA Hybrid Entity that has an office that houses Self-funded Group Health Plans that are Covered Entities, as well as offices that function as Business Associates (collectively the Health Care Component), to implement and design privacy policies and procedures that comply with the HIPAA Privacy Standards and to maintain such privacy policies and procedures in written or electronic form. Additionally, these policies address System Administration's duties as a Plan Sponsor to other Fully insured Group Health Plans through which employees, retirees and their eligible dependents are insured.
Definitions
Covered Entity - a health plan, a health care clearinghouse, or a health care provider (as defined by HIPAA) who transmits any health information in electronic form in connection with a transaction covered by Subchapter C of Subtitle A of Title 45 of the Code of Federal Regulations.
Disclose - Divulging information outside the Health Care Component, including release, transfer, or provision of access to information.
Fully insured Group Health Plan - group health coverage that is offered to eligible employees, retired employees, spouses, and eligible dependents of The University of Texas System pursuant to the Uniform Insurance Benefits Act for Employees of The University of Texas System and The Texas A&M System, that is purchased by The University of Texas System from a carrier.
HIPAA Privacy Standards - The privacy regulations at Part 160 of, and subparts A and E of Part 164 of, Title 45 of the Code of Federal Regulations, as amended from time to time.
Hybrid Entity - a single legal entity that performs both functions that are subject to the HIPAA Privacy Standards and non-HIPAA covered functions and that segregates its covered functions from its non-covered functions for purposes of compliance with the HIPAA privacy standards.
Plan Sponsor - An employer that maintains a group health plan for its employees.
Protected Health Information - any information transmitted or maintained in any form or medium (including orally), that: (i) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (ii) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future Payment for the provision of health care to an individual; and (iii) either identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual; provided that the term "PHI" does not include: (A) education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, (B) student treatment records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and (C) employment records held by a Hybrid Entity in its role as employer.
Self-funded Group Health Plans - coverage that is offered to Members of The University of Texas System pursuant to the Uniform Insurance Benefit Act for Employees of The University of Texas System and The Texas A&M University System, Texas Insurance Code Chapter 1601 (the Act) and that is self-funded by The University of Texas System and exempt from any insurance law of Texas that does not expressly apply to the Act.
Use - both (i) employment, application, utilization, examination, or analysis of information, and (ii) sharing information within an entity.