University of Maryland Policy on Compliance with the Health Insurance Portability and Accountability Act

The policy of the University of Maryland, College Park is to comply with the Health Insurance Portability and Accountability Act of 1996¹ and its implementing regulations² (collectively “HIPAA”) to the extent that HIPAA is applicable to the University.

The University’s activities include both HIPAA covered and non-covered functions. Accordingly, the University has determined that it is a hybrid entity for HIPAA coverage purposes.

The University has designated its Health Care Component, as set forth in Attachment A to this policy. A unit is included in the designation only to the extent it performs HIPAA covered functions or engages in activities that would make it a business associate of a unit that performs covered functions if the two were separate legal entities (“Covered Unit”). Other units that perform health care functions not covered by HIPAA, and that (1) voluntarily choose to comply with or participate in some or all HIPAA requirements, policies, or procedures; or (2) desire to become a Covered Unit must first receive approval from the University. A unit must be included in Attachment A before engaging in HIPAA covered activities. 

The University has designated a Privacy Officer for HIPAA compliance purposes. The HIPAA Privacy Officer designation and contact information are posted on the University’s HIPAA Website http://hipaa.umd.edu. ³ The designation of the Privacy Officer is subject to change by the President. 

The Privacy Officer is responsible for the development and implementation of policies and procedures as required by HIPAA, in consultation with the Office of General Counsel. The Privacy Officer may amend the University’s designation of Covered Unit(s) from time to time, as appropriate. The Privacy Officer is also designated to receive complaints concerning the University’s HIPAA related policies and procedures and HIPAA compliance. Any unit that engages in a HIPAA covered function must have a Notice of Privacy Practices.

Each Covered Unit shall designate a Privacy Coordinator to interact with the Privacy Officer and coordinate HIPAA compliance within the unit. Documentation of each Privacy Coordinator designation shall be provided to and maintained by the Privacy Officer.

The University’s Privacy Officer is responsible for adopting and implementing general operating policies governing HIPAA compliance by the Health Care Component. Such policies shall be distributed to all Covered Units and posted on the University’s HIPAA Website. 

Each Covered Unit is responsible for complying with the HIPAA operating policies, as applicable, and for developing procedures and forms as needed to implement and comply with such policies and HIPAA, including appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. Each Covered Unit is also responsible for providing the University’s Privacy Officer with current copies of its procedures and any forms or other HIPAA related documents. The Privacy Officer may require a Covered Unit to change its procedures, forms or related documents.

The University has established a HIPAA Advisory Committee to assist the Privacy Officer and oversee the University’s HIPAA compliance. The Privacy Officer shall chair the committee. One member of the committee shall be designated by each of the following offices: Senior Vice President for Academic Affairs and Provost, Chief Information Officer, Vice President and General Counsel, Vice President for Student Affairs, Vice President for Research, and Dean of the Graduate School. The University’s Chief Information Security Officer will also serve on the committee. Additional members may be appointed by the Privacy Officer.

Complaints concerning the University’s HIPAA policies and procedures and/or compliance with those policies and procedures or HIPAA shall be made in writing to the Privacy Officer. The Privacy Officer shall investigate all complaints in a timely manner and provide a written determination to the parties involved (e.g., the complainant and the covered unit[s].) The Privacy Officer shall document all complaints received and their disposition.

Neither the University, nor any of its employees, will intimidate, threaten, coerce, discriminate against, or take other retaliatory action against: 

1. Any individual for exercising of any rights under, or participating in any process established by, the HIPAA privacy regulations, including filing a complaint; or
2. Any person for: 
   1. filing a complaint with the U.S. Secretary of Health and Human Services (or any other officer or employee of HHS to whom the authority has been designated) under the HIPAA regulations; 
   2. testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title XI; or 
   3. opposing any act or practice made unlawful by the HIPAA privacy regulations, provided the person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of the HIPAA privacy regulations.

The University will train members of its workforce (faculty, staff, students and volunteers) in each Covered Unit on policies and procedures with respect to protected health information as required by HIPAA. Such training will be as necessary and appropriate for the members of the workforce to carry out their function within the covered unit. The Privacy Officer, in conjunction with the Office of General Counsel and the units’ Privacy Coordinators, will define requirements regarding workforce training. 

Each new member of a Covered Unit’s workforce shall be trained within a reasonable time after joining the workforce. Additional training will be provided to each member of a Covered Unit’s workforce whose functions are materially affected by a change in HIPAA related policies or procedures. Such training will be provided within a reasonable time after the material change becomes effective. 

The Privacy Officer, and the Privacy Coordinators for the Covered Units, shall maintain copies of the training materials and document that the required training has been provided.

Individuals will not be required to waive their rights to file a complaint under the HIPAA privacy regulations as a condition of treatment, payment, enrollment in a health plan, or eligibility for benefits.

The University will mitigate, to the extent practicable, any harmful effect that is known to it of a use or disclosure, by the University or its business associates, of protected health information in violation of its policies and procedures or the HIPAA privacy regulations.

Violation of this policy by a member of the University’s workforce is subject to appropriate personnel or other disciplinary action.

All policies, procedures, communications, actions, activities and/or designations that require documentation under HIPAA shall be maintained in written and/or electronic form and retained for a period not less than six years from the date of its creation or the date when it was last in effect, whichever is later. 

The University’s Privacy Officer will determine whether documentation required by HIPAA and/or this policy should be kept centrally by the Privacy Officer, or whether any Covered Unit will be responsible for keeping its own documentation as required by HIPAA. The Privacy Officer has the authority to require any covered unit to send all documentation to him/her.

The University may change this policy and any of the other policies or procedures described herein as necessary and appropriate, in accordance with standard University procedures and any applicable HIPAA requirements.

¹ 42 U.S.C. 1320d, et seq.

² 45 CFR Parts 160, 162, 164.

³ The name and contact information for the Privacy Officer may also be obtained from the Office of the Vice President for Student Affairs at 301-314-8436 or via email at HIPAA-Privacy@umd.edu.