HIPAA

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

HIPAA Privacy

Penn State remains committed to keeping your personal health information private. The Privacy Office is responsible for the implementation and administration of an institutionally based complaint process in compliance with the rules and regulations of HIPAA.

If patients believe their privacy rights have been violated, complaints may be made directly to the Penn State Privacy Office, or the U.S. Department of Health and Human Services after the Office for Civil Rights.

Protected Health Information (PHI)

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.

Pursuant to the HIPAA Breach Notification Rule, an individual has a right to receive a written notice if their unsecured PHI has been breached while in the possession, custody, or control of a Covered Component or vendor working with the Covered Component.

HIPAA and HITECH

Penn State is a hybrid entity; only parts of Penn State are subject to the Health Insurance Portability and Accountability Act (HIPAA) and/or Health Information Technology for Economic and Clinical Health (HITECH). HITECH applies to electronic health information and the dissemination thereof. The parts of Penn State that are regulated under HIPAA are referred to as Covered Components. The University has identified which of its specific units are Covered Components.

Covered Components are specified as a health care provider, health plan, or health care clearinghouse who transmits health information in electronic form in connect with a covered transaction. For more information regarding whether or not your unit would meet the definition of a Covered Component under HIPAA, directly contact the Penn State HIPAA Compliance Team at hipaa@psu.edu. For additional details on Covered Component (Entity) status, please refer to U.S. Department of Health and Human Services.

The University Privacy Officer serves as the designated HIPAA Privacy Officer and is responsible for coordinating compliance with specific standards of the HIPAA Privacy Rule.

The designated HIPAA Security Officer is responsible for coordinating compliance with specific standards of the HIPAA Security Rule regulations, in regard to the protection of Electronic Protected Health Information (ePHI).

In addition, each identified Covered Component must participate in the ongoing compliance of HIPAA and must assign a staff member, within their unit, the responsibility of HIPAA compliance and regulatory implementation to include both the HIPAA Privacy and Security Rules.


Training

The HIPAA Privacy Rule Training is required annually for all workforce members of the designated HIPAA Covered Components. To access the training for employees, go to the Learning Resource Network (LRN), log-in using your Penn State account, and search “HIPAA Privacy Rule Training.