Introduction

Policies

Acceptable Use Policy

Access to Personnel Files

AIDS Policy

Anti-Harassment Policy

Attendance/Tardiness

Break in Service

Change of Personnel Data

Confidentiality

Copyright Compliance Policy

Court Service and Jury Duty

Direct Deposit

Drug/Alcohol Free Workplace

Emergency Crisis

Employee Referral Bonus Program

Employment At Will

Employment of Relatives (Nepotism)

Equal Employment Opportunity/Affirmative Action

FERPA

Grievance Procedure

HIPAA Privacy Policy

Notice of Privacy Practices

Privacy Procedures

Hours of Work

Identification Card

Immigration Reform and Control Act of 1986

Inclement Weather

Introductory Period

Network Security Policy

New Employee Orientation

Overtime Pay

Parking

Pay Checks

Performance Appraisal

Promotions, Reclassification of Position & Transfers

Reduction in Force

Smoking

Termination of Employment

Time Recording

Types of Positions

USA Patriot Privacy Act

Work Behavior/Discipline

Benefits

Salary Administration

Exhibits

HIPAA Privacy Procedures

Applies to Employee Health Information Only

April 2004

Definitions

1. Protected Health Information (PHI)
   "Individually identifiable health information" that is transmitted or maintained by electronic media or is transmitted or maintained in any other form or medium. PHI is health information (including demographic information collected from an individual) that:
   • Relates to the past, present or future physical or mental health, or condition of an individual, the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
   • Identifies the individual, or provides a reasonable basis to believe that the information could be used to identify the individual.
2. Disclose/Disclosure
   Release, transfer, or provision of access to, or divulging in any other manner of information outside the entity holding the information.
3. Use/Usage
   The sharing, application, utilization, examination, or analysis of such information within an entity or individual that maintains such information.
4. Privacy Officer
   An individual responsible for the development and implementation of WPI's policies and procedures for handling PHI and otherwise complying with the HIPAA privacy regulations.
5. Contact Person
   An individual responsible for acting as the contact for employees and third parties with regard to any information, policies or training pertaining to PHI or the related policies and procedures.

Procedures

1. Uses and Disclosures of Protected Health Information (PHI)
   WPI may only use or disclose PHI when at least one of the following conditions is true:
   • The individual who is the subject of the information has authorized the use or disclosure.
   • The individual who is the subject of the information agrees or does not object to the disclosure and the disclosure is to persons involved in the health care of the individual.
   • The disclosure is to the individual who is the subject of the information.
     The use or disclosure is for one of the HIPAA "public purposes" (i.e., required by law, etc.).
   • The disclosure is in furtherance of WPI's health care operations as set forth in HIPAA.
   To the extent possible, WPI will attempt to mitigate the effects of any unauthorized use or disclosure of PHI.
2. Notice of HIPAA Privacy Practices
   WPI has published a Notice of HIPAA Privacy Practices. Individuals have received this notice and any revisions to it will be made available at the earliest practicable time.
3. Access to Protected Health Information by the Individual
   Access to PHI will be granted to the individual who is the subject of such information within the timeframes set forth below. The individual requesting access will be informed of the location of PHI if it is not physically located on the premises.

   Location of PHI	Time Limit
   PHI that is maintained in the WPI Human Resources office	Provide approval and access or notice of denial within 30 days of the request
   PHI that is maintained outside the WPI Human Resources office	Provide approval and access or notice of denial within 60 days

4. Verification of Identity
   The identity of any individual who requests access to PHI will be verified before such access is granted.
5. Right to Request Restrictions
   An individual may request restrictions on certain uses and disclosures of his/her PHI. The individual has the right to request a limit on WPI's disclosure of his/her PHI to someone involved in the payment of his/her care. However, WPI is not required to agree to such a request.
6. Right to receive Confidential Communications Channels
   Upon specific request made by an individual, WPI will use confidential communications channels, to the extent possible, with that individual.
7. Amendment of Incomplete or Incorrect Protected Health Information
   All requests for amendment of incorrect PHI maintained by WPI will be considered in a timely fashion. If such requests demonstrate that the information is actually incorrect, WPI will allow amending language to be added to the appropriate document. WPI may deny a request to amend if the health information records are not created or maintained by WPI, if the request does not include a supporting reason, if there is an exception, or if WPI determines that the existing information is accurate and complete. If there is an amendment or correction, WPI will notify any organization with whom the incorrect information was shared.
8. Disclosure Accounting
   An individual may make a written request for an accounting of all disclosures of PHI made by WPI to others. The request must set forth a specific time period for the disclosures not starting earlier than April 14, 2004 or going back for more than 6 (six) years.
9. Access by Personal Representatives
   Access to PHI must be granted to personal representatives of individuals, including deceased individuals, as though they were the individuals themselves, except in cases of abuse, where granting said access might endanger the individual or someone else. HIPAA privacy protections extend to information concerning deceased individuals. WPI will conform to the relevant custody status and the federal, state, and local applicable law when disclosing information about minors to their parents.
10. WPI Employee Access to Protected Health Information and Prohibited Conduct
    Only certain employees within WPI, primarily within WPI's Human Resources Department, will have access to PHI, in order for WPI to facilitate the payment of health care benefits, work with health care providers, or to administer the Medical Reimbursement Account. No employee with authorized access to PHI may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under the HIPAA regulations. Enrollment or eligibility for benefits for any individual may not be conditioned on an individual providing an authorization to disclose PHI. Any employee authorized to handle PHI who intentionally or unintentionally violates any of the applicable policies or any procedures may be subject to disciplinary procedures up to and including termination.
11. Judicial and Administrative Proceedings
    Information will be disclosed for the purposes of a judicial or administrative proceeding only when: accompanied by a court or administrative order, including a protective order, or grand jury subpoena; when accompanied by a subpoena or discovery request that includes either the authorization of the individual to whom the information applies, or documented assurances that good faith effort has been made to adequately notify the individual of the request for their information and there are no outstanding objections by the individual. If a subpoena or discovery request is submitted to WPI without one of these assurances, WPI will seek to notify the individual or obtain his or her authorization. In no case will WPI disclose information other than that required by the court order, subpoena, or discovery request.
12. De-Identified Data and Limited Data Sets
    WPI will disclose de-identified data only if it has been properly de-identified by removing all the relevant identifying data. WPI will make use of limited data sets, but only after the relevant identifying data have been removed and then only to organizations with whom WPI has data use agreements and only for public health or health plan administration purposes.
13. Authorizations
    A valid authorization will be obtained for all disclosures that are not: to the individual or his/her personal representative, to persons involved with the individual's care, to business associates in their legitimate duties, or for public purposes. Any authorizations generated from outside WPI will be reviewed to determine validity.
14. Complaints
    All complaints relating to the use and/or disclosure of PHI by WPI must be in writing and addressed to WPI's Privacy Officer or Contact Person. Within 30 days of receipt of a complaint, it will be investigated. A written response to the complainant will occur within 10 days after the investigation is complete. If the complaint stems from a valid area of non-compliance with the HIPAA Privacy Regulations, WPI will implement a resolution within a timely fashion.
15. Physical Safeguards
    Appropriate physical safeguards are in place to reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Regulations. These safeguards will include physical protection of premises and PHI, the oral communication of PHI, and PHI that is removed from WPI.
16. Retention of Records
    WPI will retain all records subject to the HIPAA Privacy Rule for six years. An individual making a request will maintain all records designated by HIPAA in this retention requirement in a manner that allows for access within a reasonable period of time. The six-year records retention period may be extended at WPI's discretion to meet with other governmental regulations or those requirements imposed by WPI's professional liability carrier.
17. Cooperation with Privacy Oversight Authorities
    Oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services will be given full support and cooperation in their efforts to ensure the protection of PHI within WPI.

Maintained by webmaster@wpi.edu