Research Corporation of the University of Hawaiʻi

Research Corporation
of the University of Hawai‘i
3.210C Addendum: Employee Positions Affected by HIPAA Rules for Medical Records
I. Policy
All RCUH employees who are working with Protected Health Information (PHI) are required to comply with the requirements set forth by the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (collectively HIPAA) and the HIPAA/PHI policies, procedures, and training requirements of their respective agency/unit.
Medical records contain information that must be protected from unauthorized use. HIPAA defines the types of information in medical records that must be protected. The HIPAA rules establish the conditions under which PHI, defined as individually identifiable health information, may be used or disclosed. The Office for Civil Rights (OCR) under the U.S. Department of Health & Human Services is responsible for enforcing HIPAA.
Research health information is subject to HIPAA rules and regulations. Other state and federal laws also govern privacy and confidentiality of personal health information obtained in research. University of Hawai‘i activities should refer to the University of Hawai‘i IRB Human Studies Program for additional guidance regarding research health information (http://www.hawaii.edu/irb/html/categories.php).
II. Responsibilities
A. RCUH Employee
1. Follow the HIPAA policies, procedures, and training requirements of the agency/unit for which they are employed.
B. Principal Investigator
1. Ensure employees are required to receive and do receive training on the handling of PHI in accordance with HIPAA.
2. Address and disclose the agency/unit’s HIPAA/PHI policies, required regulatory compliance, and any business associate and/or related agency/unit’s policy to the RCUH Human Resources Department.
3. Provide written assurance to the RCUH Human Resources Department that the PI’s agency/unit has a HIPAA/PHI policy, training, and internal controls that meet all regulatory requirements prior to any RCUH employees being hired into a position exposing them to HIPAA/PHI.
4. Disclose contact information of the agency/unit’s Security Officer to the RCUH Human Resources Department.
5. Work with the RCUH Human Resources Department to ensure all employees who work with HIPAA/PHI have the standard verbiage for HIPAA/PHI compliance in their job descriptions.

C. RCUH Human Resources
1. Assist the Principal Investigators (or designees) with updating job descriptions of all employees that work with HIPAA/PHI.
III. Applications
All Principal Investigators and/or designees with RCUH employees (recruited and non- recruited hires) that handle information protected under HIPAA, and/or PHI. The policy also applies to all RCUH employees (recruited and non-recruited hires) that handle information protected under HIPAA, and/or PHI.
IV. Details of Policy
A.
Definitions Relating to This Policy
1. Protected Health Information: Individually identifiable health information that can be
linked to a particular person. Information may relate to the following:
a. The individual’s past, present, or future physical or mental health or condition;
b. The provision of health care to the individual; or
c. The past, present, or future payment for the provision of health care to the individual.
Common identifiers of PHI include names, Social Security numbers, addresses, phone numbers, birth dates, medical record numbers, etc.
2. Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. PII that does not relate to health information is not considered PHI.
3. De-Identified Information: Information in which all potentially identifying information has been removed, and there is no reasonable basis to believe the remaining information could be used to identify a person. De-identified information is not considered PHI.
Applications of HIPAA Rules
1. Covered Entities: Those who work under the direct control of a covered entity (paid or unpaid), any of the three of which transmits health information in electronic form:
a. A health plan;
b. A health care clearing house; or
c. A health care provider (defined as an entity that provides medical or health services in the normal course of its activities).
B.

2. Business Associates: Those (paid or unpaid) who provide financial, legal, business, or administrative support services to a covered entity, and whose unit receives PHI from the covered entity in the course of performing the services. It is common for covered entities to engage the services of a business associate.
a. Due to the transfer of PHI from the covered entity to the business associate, HIPAA requires that the contract between the covered entity and business associate provide rules for the use and disclosure of PHI.
C. Administrative Requirements 1. Principal Investigators
a. They are responsible, along with their respective agency/unit, for ensuring that all RCUH employees are required to receive and do receive training on the handling of PHI in accordance with HIPAA. Such responsibilities of the Principal Investigators will address the agency/unit’s HIPAA/PHI policies, required regulatory compliance, and any business associate’s or other related agency/unit’s policy.
b. Each covered entity or business associate is required to designate a security officer, who is responsible for establishing, implementing, and enforcing policies to safeguard PHI that are specific to the systems of the covered entity or business associate. Principal Investigators are responsible at all times for knowing who the security officer is for their unit.
c. PIs must provide written assurance to the RCUH that the their agency/unit has a HIPAA/PHI policy, training, and internal controls that meet all regulatory requirements prior to any RCUH employee being hired into a position exposing them to HIPAA/PHI.
i. If employing individuals who are working with HIPAA/PHI, PIs must notify the RCUH Human Resources Department while creating the job description and ensure compliance with RCUH’s HIPAA Policy.
d. Must work with the RCUH Human Resources Department to ensure all employees who work with HIPAA/PHI have the following verbiage in their job descriptions:
i. Policy and/or Regulatory Requirements: As a condition of employment, employee will be subject to all applicable RCUH policies and procedures and, as applicable, subject to University of Hawai‘i’s and/or business entity’s policies and procedures. Violation of RCUH’s, UH’s, or business entity’s policies and/or procedures or applicable State or federal laws and/or regulations may lead to disciplinary action (including, but not limited to, possible termination of employment, personal fines, civil and/or criminal penalties, etc.).
i. Employee must complete University of Hawai‘i’s and business entity’s training relating to HIPAA/PHI privacy and security relating training as soon as possible but not later than the first six (6) months of the new hire probation period. Must maintain a current status on University and/or business entity’s training requirements.

ii. Employee must undergo a post-offer criminal background check.
e. The RCUH will not employ staff in projects that have no policy, training, or internal controls for compliance with HIPAA/PHI regulations.
2. RCUH Employees
a. Must follow the HIPAA policies for the agency/unit for which they are employed.
V. Contact Number Email:
Stacie Kondo, Human Resources Management Specialist: (808) 956-8953 [email protected]
VI. Relevant Documents
Policy 3.210 Hiring Options Through RCUH Policy 3.234 Recruitment of Regular Hires Policy 3.235 Selection of Regular Hires
Date Revised: 4/25/17