College of MedicineCollege of MedicineAboutCollege of Medicine PoliciesPRISM HIPAA and Privacy

PRISM (Promoting Research Initiatives in Substance Use and Mental Health) Collaborative HIPAA and Privacy Policy 

Policy Number: EC.00.09.230801

Applies to: All WSU Elson S. Floyd College of Medicine Department of Community and
Behavioral Health Faculty, Staff, and Students participating in the College of Medicine PRISM Collaborative.

Date: 08/1/2023

1.0 Policy Statement

It is WSU College of Medicine PRISM’s policy that Faculty, Staff and Students assigned to or involved in PRISM in performance of services protect the confidentiality, integrity, and availability of protected health information (PHI) and health care information in accordance with privacy/security policies, and federal and state laws.

2.0 Definitions

CFR Title 42 Part 2

Title 42, United States Code that imposes restrictions upon the disclosure and use of substance use disorder patient records which are maintained in connection with the performance of any part 2 programs.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy, and security of health information.

Protected Health Information (PHI)

Information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; that identifies the individual, or concerning which there is a reasonable basis to believe the information can to identify the individual. See 45 CFR § 160.103.

PRISM Collaborative

Comprises faculty, staff and students, with appointments in the College of Medicine in the Department of Community and Behavioral Health who support contingency management consulting and technical services including fidelity monitoring.

PRISM Collaborative Workforce

WSU COM operational and managerial responsibility, including compliance oversight for the PRISM Collaborative and its workforce members.

Washington’s Uniform Health Care Information Act, RCW 70.02

Washington’s state law that governs the use, access, and disclosure of patients’ health care information, whether oral or recorded in any form or medium. The law applies to licensed health care providers, an individual who assists a health care provider in the delivery of health care, or an agent and employee of a health care provider. See RCW 70.02.020.

3.0 Responsibilities

Office of Compliance

4.0 Procedures

Verification

PRISM Collaborative faculty, staff, and students must adhere to any privacy and security policies and undertake and complete any compliance education provided by the WSU College of Medicine. PRISM Collaborative faculty and staff are required to complete and sign privacy, confidentiality, and data security agreements and complete HIPAA training. PRISM Collaborative faculty, staff, and students must maintain the confidentiality of the PRISM Collaborative’s PHI and limit the disclosure of PHI in accordance with the WSU COM and WSU policies and the law. PRISM Collaborative faculty, staff, and students must not use, access, or disclose PHI without the patient’s written authorization unless permitted by law. PRISM Collaborative faculty, staff, and students must undertake and successfully complete basic and specific and/or supplemental clinical HIPAA training appropriate to their role in the PRISM Collaborative function.

HIPAA Training

In accordance with the HIPAA and Part 2 Privacy Rules, WSU College of Medicine Compliance Office trains PRISM Collaborative faculty, staff, and students at an appropriate level to fulfill their roles and responsibilities. WSU College of Medicine Office of Compliance provides participating faculty, staff, and students with training regarding HIPAA and state regulatory requirements. PRISM Collaborative administrators function as a member of the PRISM Collaborative workforce and receive HIPAA training to help assure compliance with employees and students as necessary and appropriate for them to carry out their responsibilities at the PRISM Collaborative. PRISM Collaborative faculty, staff, and students must complete assigned training. Participating WSU College of Medicine students must undergo data security and privacy (HIPAA) training through WSU College of Medicine’s electronic education and document management system.

HIPAA Privacy Rule

The HIPAA Privacy Rule sets forth standards to protect all PHI that is maintained, accessed, or disclosed. There are 18 HIPAA identifiers that are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. (See section under deidentification).

Authorization

Generally, the HIPAA Privacy Rule requires written authorization before the use or disclosure of an individual’s PHI. Under specific circumstances, however, the HIPAA Privacy Rule permits the use or disclose PHI for quality improvement and monitoring without an individual’s authorization.

HIPAA Security Rule

Monitoring

The PRISM Collaborative collects and stores defined and specific PHI to perform services that do not qualify as treatment. The information collected include patient name, patient date of birth, demographic data including gender, race/ethnicity, education, attendance/date of service and results, as part of their training and technical assistance work, for the purpose of quality improvement and assurance.

WSU College of Medicine policy prohibits any maintenance or storage of Clinic related PHI with the WSU College of Medicine or WSU IT or physical environments. Under the HIPAA Security Rule, PRISM Collaborative faculty, staff, and students must comply with all safeguards put in place to protect PHI.

PRISM Collaborative faculty, staff, and students must not have access to PHI unless they have completed the WSU College of Medicine’s required HIPAA and security training. The WSU College of Medicine Office of Compliance must perform all audits of faculty, staff, and student training on an appropriate basis or when otherwise deemed necessary. WSU College of Medicine Students must remain in compliance with this standard to satisfy degree requirements. All documentation of data security and privacy (HIPAA) training for students is managed in CastleBranch. The Office of Compliance/Talent Recognition & Enhancement manages faculty and staff HIPAA training documentation. In accordance with the law, WSU College of Medicine retains training documentation for six years.

Compliance

The Office of Compliance maintains responsibility for the designation of a compliance contact for all internal auditing and monitoring activities. Faculty, staff, and students who have questions or concerns regarding HIPAA should seek out the services of the Office of Compliance.

De-Identification

De-identification is the action of removing all identifiers that can be linked to any individual or re-identified. The method that can be used to satisfy the Privacy Rule’s de-identification standard is the Safe Harbor Standard. The Safe Harbor Standard is the anonymization of PHI by removing 18 HIPAA identifiers. When these identifiers are removed, the information is no longer considered protected and can be released without harm to the patient.

Safe Harbor

The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

  • Names
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
    • The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people: and
    • The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
  • All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Telephone numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Fax numbers
  • Device identifiers and serial numbers
  • Email addresses
  • Web Universal Resource Locators (URLs)
  • Social security numbers
  • Internet Protocol (IP) addresses
  • Medical record numbers
  • Biometric identifiers, including finger and voiceprints
  • Health plan beneficiary numbers
  • Full-face photographs and any comparable images
  • Account numbers
  • Any other unique identifying number, characteristic, or code
  • Certificate/license numbers

(Reference: 45 CFR §164.502(d), 45 CFR §164.514(a-c), Health Insurance Portability and Accountability Act of 1996)

Failure to properly de-identify PHI shall result in HIPAA breaches. These breaches are reportable to the affiliated organization. Records, including student assignments, with PHI, must not be placed on any electronic system owned by the College of Medicine. Electronic and hard copy forms created by the PRISM Collaborative used by faculty and students to document patient cases shall be reviewed by the Office of Compliance to ensure PHI is not being collected and inappropriately used.

Reporting

If any faculty and students are made aware of any actual or alleged violation of HIPAA, RCW 70.02, and/or this Policy, the individual is required to bring to the attention of the Office of Compliance for reporting the actual or alleged violation.

College of Medicine Office of Compliance Office

Email: medicine.compliance@wsu.edu

The Office of Civil Rights

University French Administration Building, Room 225
Email: crci@wsu.edu
Phone: 509-335-8288
Fax: 509-335-5483

Potential Breach or Noncompliance Investigations

PRISM Collaborative faculty, staff, and students must immediately report any known or suspected security incidents or breaches of PHI to the WSU College of Medicine’s Office of Compliance. PRISM Collaborative must report any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI. Failure to comply with WSU College of Medicine HIPAA, security and other policies may result in, among other things, appropriate corrective action including termination or appropriate discipline in accordance with WSU policy or loss of your assignment/appointment in the department in accordance with the corrective action policy.

Where appropriate or necessary, the Office of Compliance has the right to involve necessary stakeholders to assist with the investigation, such as the WSU College of Medicine Information Security Office, the Attorney General’s Office, or administrative areas as appropriate. In the event any other WSU College of Medicine department receives the notification of a potential HIPAA violation or violation of this policy, the department promptly notifies the Office of Compliance. WSU College of Medicine faculty, staff, and students participating in PRISM are required to cooperate in such investigations and promptly respond to inquiries from WSU College of Medicine Office of Compliance and to any other such requests from administrative areas assisting with or coordinating the investigation.
Any investigations and/or inquiries from PRISM stakeholders must be handled promptly by contacting the WSU College of Medicine Office of Compliance.

Records Management

Documentation of attestation and training documentation of satisfactory completion of HIPAA for students and faculty are kept for six years.

5.0 Related Policies

6.0 Key Search Words

PRISM Collaborative, Compliance, Protected Health Information, Privacy, Security, Health Insurance Portability and Accountability Act

7.0 Revision History

Original Approval: 8/01/2023
Policy Number: EC.00.09.230801
Review/Revision: 08/01/2023