Penn State Privacy Office

home| HIPAA policies and procedures

HIPAA Policies and Training

At first it may not be clear why Penn State would need to comply with HIPAA requirements. After all, Penn State is primarily an educational institution. Some organizations, such as hospitals, fit fully under HIPAA. HIPAA recognizes that not all organizations that handle personal health care information are primarily health care providers. HIPAA has made a provision for entities that are not primarily health care providers. The term "Hybrid entity" is another name for any organization that performs both HIPAA covered and non-covered functions.

Penn State is a hybrid entity; only parts of Penn State are subject to HIPAA. The parts of Penn State that are regulated under the HIPAA act are referred to as covered components. The University has identified which of its specific units are covered components. These covered components are required to meet specific standards under the act as participants in the delivery of health care, paying for health care, and providing operational support for health care services. The covered components of the University include:

Central Support Services, Office of Physical Plant

Financial Office, Student Affairs

Financial Office, College of Liberal Arts

Internal Auditing, Corporate Controller's Office

Penn State Health Plans, Office of Human Resources

Penn State Privacy Office

Psychological Clinic, Department of Psychology, College of Liberal Arts

Records Center, Department of Document Services, Auxiliary and Business Services

University Health Services, Student Affairs

Waste Management Program, Office of Physical Plant

All covered components of Penn State (units and individuals) must follow the rules of HIPAA as they apply to those components. For example, staff members involved in treating patients have different responsibilities from those staff who are conducting research that uses patient information. Other staff who support units that provide support services to University Health Services and the Counseling Center of the College of Liberal Arts may not treat patients, but may have access to protected health information (PHI) as a result of their job. Thus, whatever job you have within a covered component, it is necessary for you to protect health information.

The Milton S. Hershey Medical Center and the Penn State College of Medicine have been joined together as an "Affiliated Covered Entity" and act as one for the purposes of HIPAA. They have one privacy officer and one set of materials and procedures used to comply with HIPAA. If faculty, staff, or students are participating in any activity that involves patient information from the Milton S. Hershey Medical Center, it will be necessary to follow the privacy and security policies of the medical center.

HIPAA's Privacy Rule requires that Penn State establish a University-wide Privacy Office and a Chief Privacy Officer. The Privacy Office has the responsibility to implement and monitor compliance with HIPAA. In addition, each covered component will be participating in the ongoing compliance issues of HIPAA by assigning a representative to coordinate regulatory compliance and implementation.

HIPAA Policies

To learn more about HIPAA's impact on Penn State, please refer to these relevant policies:

AD22 Health Insurance Portability and Accountability Act (HIPAA)

http://guru.psu.edu/policies/AD22.html

RA22 Penn State HIPAA Research Policy

http://guru.psu.edu/policies/RA22.html

RA23 Penn State Milton S. Hershey Medical Center Penn State College of Medicine Research Policy

http://guru.psu.edu/policies/RA23.html

HIPAA Training

Penn State Policy AD22 describes the training required under HIPAA. According to HIPAA, it is essential that all individuals covered by the Privacy Rule be trained in the Penn State policies and procedures and those procedures necessary for them to perform their assignment. Since research done by faculty and staff may involve the use of PHI, there is specialized training for researchers. Staff members of clinical services need to extend their current knowledge of health care privacy matters to the specifics required by the Privacy Rule. Students who are going out on internships must participate in the training specifically developed for students and also follow the policies of their cooperating organization.

Policy AD22 defines the sanctions and disciplinary process as required under HIPAA for individuals who fail to follow the University's HIPAA policies. All covered entities must equally enforce the requirements to maintain confidentiality of PHI.

Penn State HIPAA training is available online via the Angel Course Management System. This can be found at https://cms.psu.edu. The Angel Group which contains the Penn State HIPAA training materials is named "Penn State HIPAA Training." If you would like to take the on-line course, you will need to join this group. It does not require a PIN. You will need to login with your Penn State access account. You can learn more about how to use the Angel system, but clicking on the HELP link which is listed on the first page within https://cms.psu.edu.


	home\| HIPAA policies and procedures HIPAA Policies and Training At first it may not be clear why Penn State would need to comply with HIPAA requirements. After all, Penn State is primarily an educational institution. Some organizations, such as hospitals, fit fully under HIPAA. HIPAA recognizes that not all organizations that handle personal health care information are primarily health care providers. HIPAA has made a provision for entities that are not primarily health care providers. The term "Hybrid entity" is another name for any organization that performs both HIPAA covered and non-covered functions. Penn State is a hybrid entity; only parts of Penn State are subject to HIPAA. The parts of Penn State that are regulated under the HIPAA act are referred to as covered components. The University has identified which of its specific units are covered components. These covered components are required to meet specific standards under the act as participants in the delivery of health care, paying for health care, and providing operational support for health care services. The covered components of the University include: Central Support Services, Office of Physical Plant Financial Office, Student Affairs Financial Office, College of Liberal Arts Internal Auditing, Corporate Controller's Office Penn State Health Plans, Office of Human Resources Penn State Privacy Office Psychological Clinic, Department of Psychology, College of Liberal Arts Records Center, Department of Document Services, Auxiliary and Business Services University Health Services, Student Affairs Waste Management Program, Office of Physical Plant All covered components of Penn State (units and individuals) must follow the rules of HIPAA as they apply to those components. For example, staff members involved in treating patients have different responsibilities from those staff who are conducting research that uses patient information. Other staff who support units that provide support services to University Health Services and the Counseling Center of the College of Liberal Arts may not treat patients, but may have access to protected health information (PHI) as a result of their job. Thus, whatever job you have within a covered component, it is necessary for you to protect health information. The Milton S. Hershey Medical Center and the Penn State College of Medicine have been joined together as an "Affiliated Covered Entity" and act as one for the purposes of HIPAA. They have one privacy officer and one set of materials and procedures used to comply with HIPAA. If faculty, staff, or students are participating in any activity that involves patient information from the Milton S. Hershey Medical Center, it will be necessary to follow the privacy and security policies of the medical center. HIPAA's Privacy Rule requires that Penn State establish a University-wide Privacy Office and a Chief Privacy Officer. The Privacy Office has the responsibility to implement and monitor compliance with HIPAA. In addition, each covered component will be participating in the ongoing compliance issues of HIPAA by assigning a representative to coordinate regulatory compliance and implementation. HIPAA Policies To learn more about HIPAA's impact on Penn State, please refer to these relevant policies: AD22 Health Insurance Portability and Accountability Act (HIPAA) http://guru.psu.edu/policies/AD22.html RA22 Penn State HIPAA Research Policy http://guru.psu.edu/policies/RA22.html RA23 Penn State Milton S. Hershey Medical Center Penn State College of Medicine Research Policy http://guru.psu.edu/policies/RA23.html HIPAA Training Penn State Policy AD22 describes the training required under HIPAA. According to HIPAA, it is essential that all individuals covered by the Privacy Rule be trained in the Penn State policies and procedures and those procedures necessary for them to perform their assignment. Since research done by faculty and staff may involve the use of PHI, there is specialized training for researchers. Staff members of clinical services need to extend their current knowledge of health care privacy matters to the specifics required by the Privacy Rule. Students who are going out on internships must participate in the training specifically developed for students and also follow the policies of their cooperating organization. Policy AD22 defines the sanctions and disciplinary process as required under HIPAA for individuals who fail to follow the University's HIPAA policies. All covered entities must equally enforce the requirements to maintain confidentiality of PHI. Penn State HIPAA training is available online via the Angel Course Management System. This can be found at https://cms.psu.edu. The Angel Group which contains the Penn State HIPAA training materials is named "Penn State HIPAA Training." If you would like to take the on-line course, you will need to join this group. It does not require a PIN. You will need to login with your Penn State access account. You can learn more about how to use the Angel system, but clicking on the HELP link which is listed on the first page within https://cms.psu.edu.