HIPAA Requirements (Health Insurance Portability and Accountability Act of 1996)

Op3.12-12 HIPAA Requirements (Health Insurance Portability and Accountability Act of 1996)

What is my role as department head?

The role of the department head is to be aware of and ensure your department is in compliance with the requirements of the university regarding protected of health information (PHI) as required by federal law. View the university's policy regarding HIPAA compliance.

Your first responsibility as a department head under HIPAA is to find out whether or not you must comply with the privacy and/or security components of HIPAA. If you do not know, contact the university’s information security officer to find out. Some departments have a significant amount of involvement with student, staff and faculty HIPAA-protected information; others may have very little. Regardless, it is important to know the key requirements of the law.

What are the basic requirements of the law?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and is composed of three components:

  • Insurance portability,
  • Fraud enforcement, and
  • Administrative simplification.

The Privacy Rule established mandatory guidelines regarding the use and disclosure of protected health information. Many of the applications of the Privacy Rule are simply common sense while others are somewhat more complex. Also, the Privacy Rule enables the patient to control the disclosure of their PHI to certain entities.

The Security Rule focuses on requirements for covered entities to protect and safeguard the confidentiality of PHI created, maintained and transmitted in electronic form. The purpose of the Security Rule is to adopt national standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information (EPHI). Among other things, the covered entity’s computer network, access to the network and the method by which the covered entity stores and handles such information.

The university has identified a number of Health Care Components within its operations. For each Health Care Component, it has identified a unit privacy officer and a unit security officer. These positions, along with Missouri State University officers, are responsible for implementing, monitoring and reporting any violations to management.

What information must be secured/protected?

Protected health information (individually identifiable health information held or disclosed by a covered entity that can be communicated electronically, verbally or written.)

Where can I find training or resources to HIPAA?

Notice of Privacy Practices

HIPAA Privacy Training Policy

HIPAA Privacy Training (Human Resources)

HIPAA Research Training

HIPAA Security training

On a practical basis – what should I do?

  • Be aware of the regulatory requirements regarding protection of student information and the implications of noncompliance.
  • Ensure that your faculty and staff understand HIPAA requirements in dealing with personnel/student records, and where applicable, are formally trained in such.
  • Never provide any outside party with health information. Contact either the University Custodian of Records or Dr. David Muegge, Director of Magers Health and Wellness Center (DaveMuegge@MissouriState.edu).

What if I have questions?

If you have any question regarding HIPAA information, please contact: