Unit Role
Principles, Standards, and Guidance
Education and Awareness
Administration and Management
Institutional Oversight
Monitoring
Auditing
Noncompliance
Coordination Among Entities
Records and Reporting
Unit Role
WashU has three entities responsible for assuring compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA): The HIPAA Privacy Office, the HIPAA Information Security Office, and the WashU HIPAA Covered Entity, which is comprised of 57 individual Business Units. These three entities help ensure compliance with Federal regulations and University and sponsoring agency policies and procedures related to HIPAA and to provide HIPAA-related communication, education, and support for University researchers and staff.
The Privacy Office is responsible for compliance with HIPAA Privacy Regulations regarding the access, use, and disclosure of protected health information (PHI) and coordinates HIPAA Privacy Compliance for the WashU HIPAA Covered Entity.
The Privacy Office reports to the Associate Vice Chancellor for Clinical Affairs.
The Information Security Office is responsible for information security and business continuity services for the School of Medicine. It maintains a program to address compliance with multiple Security Regulations including HIPAA and its requirements regarding the physical and technical security of electronic PHI. The Security Office coordinates HIPAA Security Compliance for the WashU HIPAA Covered Entity.
The Information Security Office reports to the Vice Chancellor and Chief Information Officer of the University.
Each of the 57 Business Units (BU) designates a HIPAA Privacy Liaison and a HIPAA Security Liaison. Together, these liaisons are responsible for helping to ensure that their BU complies with the University HIPAA Privacy and Security Policies. The liaisons are also responsible for communicating HIPAA compliance policies and procedures to faculty and staff in the BU, utilizing the resources and tools provided by the HIPAA Privacy and Information Security Offices, and ensuring appropriate levels of training are completed by all BU personnel.
Together, the Privacy Office, the Information Security Office, and the 57 Business Units and their respective liaisons coordinate to achieve the following responsibilities:
Principles, Standards, and Guidance
- Oversee the development, implementation, and review of institutional policies and procedures to assure the privacy and security of PHI.
- Disseminate information and provide guidance regarding compliance with HIPAA Federal regulations and University and sponsoring agency policies and procedures.
Education and Awareness
- Develop and implement educational programs and tools to effectively train researchers and staff participating in research involving PHI.
- Ensure compliance of the appropriate level of HIPAA training for researchers and staff.
- Provide communication and other resources for researchers and staff to raise awareness regarding HIPAA requirements.
Administration and Management
- Represents the University to Federal regulatory agencies.
- Develop and implement administrative, physical, and technical safeguards to protect and control access to PHI in accordance with Federal regulations and University and sponsoring agency policies and procedures.
- Develop and maintain electronic systems and technology solutions related to the administration of HIPAA.
Institutional Oversight
- Promote a culture of compliance and oversee adherence to Federal regulations and University and sponsoring agency policies and procedures instituted to safeguard PHI.
Monitoring
- Monitor to identify problems and to help ensure compliance with Federal regulations and University and sponsoring agency policies and procedures instituted to safeguard PHI.
Auditing
- Periodically review and assess the progress of previous HIPAA violators.
Noncompliance
- Receive and investigate all internal and external HIPAA privacy and security complaints.
- Assure that each complaint and its disposition are appropriately documented and handled in accordance with Federal regulations and University and sponsoring agency policies and procedures instituted to safeguard PHI.
- Mitigate damages for any violation and administers appropriate sanctions against University faculty and staff found culpable of HIPAA violations in accordance Federal regulations and University and sponsoring agency policies and procedures.
- Supports and endorses cooperation with University compliance and monitoring efforts and reports instances of noncompliance to the appropriate compliance office.
Coordination Among Entities
- Coordinate with the Human Research Quality Assurance/Quality Improvement Program (HR QA/QI) and the Human Research Protection Office (HRPO) to facilitate cooperation and help ensure that health information is protected in accordance with HIPAA Federal regulations and University and sponsoring agency policies and procedures.
Records and Reporting
- Create and maintain records for all HIPAA violations and violators.
Assure confidentiality, integrity, and availability for all electronic PHI created, received, maintained, or transmitted by the institution.