NMSU’s Chief Privacy Officer is responsible for ensuring that individually identifiable health information is handled appropriately across the entire University.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules create a framework to protect the privacy and security of patient’s and health plan member’s health information. NMSU supports the goals of HIPAA and documents its commitment to comply with these laws in its “15.60 – Management of Health Information – HIPAA Compliance” Administrative Rule and Procedure.
This web site provides institutional information and guidance on the policies and procedures related to HIPAA compliance at NMSU.
The University is considered a “hybrid entity” under HIPAA, which means that some parts of the University are subject to HIPAA and others are not. The University’s health plans, its health care provider services, and those that may access Protected Health Information (PHI) to support the plans or health care provider services are subject to HIPAA. The areas that make us the University’s hybrid entity are referred to as “covered components.” Areas outside of the University’s health care components may also be subject to HIPAA if they act as a “business associate” of an organization that is subject to HIPAA. The following sections specify essential HIPAA requirements:
Covered Entity’s Standard Operating Policies and Procedures
Each covered entity at NMSU should develop HIPAA operating procedures detailing the conduct of its local operations according to HIPAA requirements and should align to NMSU’s 15.60 – Management of Health Information – HIPAA Compliance” Administrative Rule and Procedure. Part of the operating procedures should include a documented information security risk assessment to ensure the proper implementation of physical, administrative and technical safeguards for PHI. The risk assessment should be updated annually or as major changes occur to the operation of the covered component. The Office of the National Coordinator for Health Information Technology (ONC), in coordination with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), created a Guide to help covered entities to integrate privacy and security into operations. Please refer to this link for a copy of the Guide – Establishing a HIPAA Compliance Program.
Areas at NMSU who are designated as covered components by the HIPAA regulations are responsible for providing comprehensive training to staff regarding its privacy policies and procedures as necessary to carry out their functions.
Each area is required to ensure that all staff including new and existing employees, volunteers, trainees or others whose conduct is under the control of the entity are trained. Follow-up training is expected to occur annually.
Notice of Privacy Practices
Each covered component at NMSU should create a Notice of Privacy Practices. A Notice of Privacy Practices discloses the ways the University gathers, uses, discloses, and protects patient data. Specifically, the HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user friendly explanation of individuals rights with respect to their personal health information and the privacy practices of health plans and health care providers. Guidance and model notices of privacy practices (NPPs) can found in this page – model notices.
Anyone at the NMSU community can and should report a known or suspected violation of health information privacy, security or University policy. Known or suspected violations can be reported by contacting the Health Information Privacy Officer and Chief Privacy Officer by phone at (575) 646-5902, or by email at firstname.lastname@example.org. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Refer to the Breach Notification Rule website for more information.
Resources from the U.S. Department of Health & Human Services
- Health Information Privacy
- HIPAA for Professionals
- Free Training Materials
- HealthIT.gov – Privacy and Security
- Office for Civil Rights (OCR) – Filing a Complaint with OCR
For more information regarding the HIPAA compliance program at NMSU contact:
Carlos S. Lobato, CPA
Chief Privacy Officer