HIPAA Policy-08
About This Policy
Effective: 07/01/2014
Last Updated: 09/01/2021
Responsible University Office:
Office of the Chief Privacy Officer
Responsible University Administrator:
Chief Privacy Officer
mawerlin@iu.edu
Policy Contact:
HIPAA Privacy Officer
HIPAA Security Officer
hipaa@iu.edu
- Print or view a PDF of this policy
- Many policies are quite lengthy. Please check the page count before deciding whether to print.
This policy applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and HIPAA Affected Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents. For the purposes of this policy, all of the above will be referred to as workforce members.
Policy Statement
- Workforce members shall not physically remove or transport any PHI from IU work locations unless such information is necessary for the performance of their job duties and in compliance with this policy.
- Workforce members must have approval from their supervisor or Principal Investigator (PI), when engaged in research activities, prior to removing or transporting PHI from an IU work location. Before approving the request, the supervisor or PI must ensure the workforce member has the proper resources for safeguarding the PHI. The approval shall be documented and retained by the workforce member.
- Workforce members shall ensure that all PHI, whether in paper or electronic format, that is physically removed from IU work locations is the minimum information necessary for their job duties and is secured and transported in compliance with this policy and referenced policies and guidelines.
- Workforce members shall not remove any original paper medical records from their IU work location except to transport between IU work locations necessary for their job duties.
- Workforce members shall not physically remove any PHI stored in electronic form on mobile devices from IU work locations unless the device on which it is stored is in compliance with all applicable IU encryption policies and standards. (IU Policy IT-12.1)
- Workforce members who transport PHI in any form, and whether on-site or off-site, shall take reasonable precautions to safeguard and secure the information at all times. (See Attachment 1, Guidelines for the removal and transport of PHI)
Reason for the Policy
Members of the IU workforce who are tasked with the transportation of PHI from location to location or are assigned to work from home part-time, full-time or on an exception basis in an official IU capacity are responsible for maintaining the privacy and security of the PHI and for following all IU policies and procedures related to HIPAA and Critical Data.
IU has a legal and ethical responsibility to maintain the confidentiality, privacy and security of all PHI it creates, receives or maintains. This policy is to ensure appropriate safeguards against the loss, theft, and unauthorized access, use, disclosure, alteration or destruction of PHI in paper form or stored in electronic form on mobile devices by providing basic requirements for the physical removal or transport of such information from or within IU.
Definitions
Individually Identifiable Health Information (IIHI): A subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate in any form or medium, whether electronic, on paper or oral.
See Glossary of HIPAA Related Terms for complete list of terms.
Sanctions
Workforce members who violate this policy are subject to sanctions up to and including termination from employment.
History
07/01/2014 Effective Date
08/01/2016 Updated Definitions Section, added link to Glossary
06/01/2017 Published on University policy site
10/31/2018 Updated Section 2C
09/01/2021 Updated contacts and revised for remote work arrangements