HIPAA Core Policy: HIPAA Administration   

 

 

Abstract: 
This policy ensures that UAB covered entities implement certain human resources requirements to protect against the wrongful use or disclosure of protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act ("HIPAA") and Alabama state law.

Effective Date: 12/20/2013

 

Review/Revised Date: 3/14/2025

 

Category: Ethics and Integrity

 

Policy Owner: Provost

Policy Contact: Chief Privacy Officer

 
   
 
 
1. PURPOSE: To ensure that UAB HIPAA covered entities implement certain administrative requirements to protect against the wrongful use or disclosure of protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and Alabama state law.

2. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital Authority and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, An Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., and Valley Foundation. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

3. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164.

4. POLICIES:
 

A. Identifying HIPAA Covered Entities

1. When a new unit, department, or clinic is established, Legal Counsel will assess and determine whether or not the new entity will be designated as a HIPAA covered entity, according to the definition and other guiding documentation provided by the federal HIPAA regulations.

2. Upon review of a HIPAA Privacy Core Policy, Legal Counsel and the Privacy Officer will reassess each UAB HIPAA covered entity identified in the “applicability” section of the policy to ensure each continues to qualify as a HIPAA covered entity.

B. Personnel Designations

1. UAB shall designate a HIPAA Privacy Officer who is responsible for developing, implementing, maintaining, and overseeing the policies and procedures regarding health information privacy to ensure UAB continues to comply with the Privacy Rule. The Privacy Officer will work with the UAB HIPAA Covered Entities’ Entity Privacy Coordinators to communicate and implement these policies and procedures.

2. UAB shall designate a HIPAA Security Officer who is responsible for developing, implementing, maintaining, and overseeing the policies and procedures regarding health information security to ensure UAB continues to comply with the Security regulations. The Security Officer will work with the UAB HIPAA Covered Entities’ Entity Security Coordinators to communicate and implement these policies and procedures.

3. The HIPAA Privacy Officer and the HIPAA Security Officer will work together on issues related to the privacy and security of patient information.

C. Workforce Training

1. UAB shall train all members of its HIPAA Covered Entities’ workforces (employees, volunteers, trainees, students, and other persons whose work is under the direct control of the covered entity) on the federal HIPAA privacy and security regulations and its HIPAA-related policies and procedures.

2. This training is required for all workforce members of a UAB HIPAA Covered Entity. It should be completed within the first 30 days (for VIVA, first 60 days) of employment or assignment.

a. A procedure will be maintained to follow-up on members of the workforce who are delinquent in completing the required training.

b. Successful completion of this training will be documented.

c. Documentation of all required HIPAA training, both initial training and refresher courses as well as other compliance activities, will be retained for at least six (6) years from the date of its implementation.

D. Disciplinary Actions

1. UAB, through its various Human Resources Departments, shall partner with leaders to apply disciplinary actions against members of the workforce who fail to comply with UAB’s HIPAA policies and procedures or applicable laws regarding PHI.

2. The Human Resources Departments will partner with leaders to implement appropriate, fair, and consistent sanctions for workforce members who fail to comply. They will consider all relevant factors in determining the nature and severity of the disciplinary action: the type of violation, the intent of the workforce member at the time of the violation, and the number and frequency of any prior violations. Cumulative disciplinary actions may be imposed on an individual who commits more than one violation in one incident. Substantiated violations will include progressive disciplinary actions up to and including termination of employment or assignment.
6. REFERENCES: None
7. SCOPE: This policy applies to all UAB Covered Entities and to UAB Medicine Enterprise Covered Entities identified in Section 2.
8. ATTACHMENT: None