Statement of Policy
Washington University and its member organizations (collectively, “Washington University” or “WU”) are committed to conducting business
in compliance with all applicable laws, regulations and WU policies. WU has adopted this policy to set forth its compliance with those standards established by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996
(“HIPAA”) regarding the privacy of individually identifiable health information (the”Privacy Regulations”).
Scope of Policy
The scope of this Policy covers Washington University’s general approach to compliance with the Privacy Regulations.
1) A Hybrid Entity.
Washington University is a hybrid entity under the Privacy Regulations with both covered and non-covered functions. WU hereby designates its HIPAA covered functions as health care components for purposes of the Privacy Regulations. WU’s health care components are set forth in Exhibit A, attached hereto and incorporated herein, which Exhibit may be revised from time to time. Included within each designated health care component are various support services including, without limitation, legal, accounting, audit, finance, tax, risk management, information systems management, maintenance, facilities, environmental health and safety and the University’s Compliance Office.
Individuals who perform such support services for both HIPAA health care components and non-covered functions shall not use Protected Health Information that they obtain in the course of furnishing services for the HIPAA covered health care components to provide services to the non-covered functions. In addition, when Using or Disclosing
Protected Health Information, the HIPAA covered health care components shall treat the non-covered functions as if they were legally separate entities. References within the Washington University HIPAA Privacy Policies to Washington University or WU mean
the HIPAA covered entity components of Washington University.
2) A Single Affiliated Covered Entity.
WU has ownership or membership interests in a number of separate legal organizations. These separate legal organizations shall be considered a single affiliated covered entity with WU for purposes of the Privacy Regulations, and shall be included as part of the
Washington University School of Medicine (“WUSM”) HIPAA health care component of WU. The separate legal entities that will be included as part of the WUSM component part of WU are set forth on
Exhibit B, attached hereto and incorporated herein, which
Exhibit may be revised from time to time.
3) An Organized Health Care Arrangement.
WUSM and its affiliated teaching hospitals, Barnes -Jewish Hospital (“BJH”) and St. Louis Children’s Hospital (“SLCH”), participate in a clinically integrated care setting in which patients typically receive health care services from employees and agents of each of WUSM, BJH and SLCH. WUSM, BJH and SLCH have designated themselves as an organized health care arrangement under the Privacy Regulations and have developed and implemented a Joint Notice of Privacy Practices. Except as specifically stated herein or as might be agreed to in writing, each of BJH, SLCH and WUSM shall be responsible for ensuring its own compliance with the Privacy Regulations and in no event shall any of them be responsible for any other party’s failure to comply with the Privacy Regulations.
4) Privacy Personnel.
On behalf of its covered entity component parts, WU has designated a Privacy Officer with overall responsibility for the development and implementation of policies that conform to the Privacy Regulations (“Privacy Policies”). The Privacy Officer has identified a number of business units within the HIPAA covered entity components of WU. Each business unit has named a HIPAA Privacy Liaison. The business unit HIPAA Privacy Liaison is responsible for ensuring that the business unit:
(i) complies with all WU HIPAA Privacy Policies,
(ii) maintains the confidentiality of all Protected Health Information created or received by the business unit from the date such information is created or received until it is destroyed,and
(iii) is responsible for ensuring that all staff members within the business unit have the appropriate level of HIPAA training as determined by the HIPAA Privacy Liaison in conjunction with the Privacy Officer.
5) Privacy Complaints.
The Privacy Officer shall be responsible for facilitating a process for individuals to file a complaint regarding WU’s Privacy Policies or the handling of Protected Health Information by a WU HIPAA health care component. The Privacy Officer shall be responsible for ensuring that the complaint and its disposition are appropriately documented and handled.
6) Mitigation, Sanctions and Non-Retaliation.
WU shall ensure that its HIPAA health care components mitigate damages for any violation of the Privacy Regulations and the WU Privacy Policies and/or Privacy Procedures, appropriately discipline and sanction employees and other Workforce members for any violation, and refrain from intimidating or retaliating against any person for exercising his or her rights under the Privacy Regulations or for reporting any concern, issue or practice that such person believes in good faith to be in violation of the Privacy Regulations or the WU Privacy Policies and/or Privacy Procedures. WU shall not require any persons to inappropriately waive any rights of such person to file a complaint with the Department of Health and Human Services.
7) Privacy Policies and Procedures.
The WU HIPAA Privacy Policies and Privacy Procedures are designed to ensure compliance with the Privacy Regulations. Such Privacy Policies and Privacy Procedures shall be kept current and in compliance with any changes in the law, regulations or practices of WU’s covered entity component parts.
8) Responsibility of All Employees within WU HIPAA Covered Entity Component Parts.
Every WU employee within a HIPAA covered entity component part of WU is responsible for being aware of, and complying with, the Privacy Regulations and the WU Privacy Policies and Privacy Procedures.
Creation Date: March 17, 2003
Effective Date: April 14, 2003
Last Revision Date: January 25, 2018