HIPAA is a federal law that college and university boards should be familiar with because it falls under board oversight. Not all educational institutions fall under HIPAA laws. In most cases, college boards fall under the law. In those cases, board trustees should have a basic understanding of the law and be familiar with the many provisions that relate to compliance measures.
Compliance with HIPAA laws is something that board trustees should be having conversations with their management staff about. It’s crucial that boards perform their due diligence in learning more about the steps their college is taking to remain in compliance with HIPAA in order to avoid fines and liability issues.
What Is HIPAA and Why Is It Important?
HIPAA is a federal act that Congress passed in 1996 to help patients protect their personal and sensitive information. HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act.
Since most students live away from home and on college campuses, many colleges have medical staff available to tend to students’ health needs during the time of their postsecondary education. Colleges that bill providers for services must abide by the HIPAA laws.
HIPAA is organized into separate titles to differentiate the various provisions within the Act. One of the main provisions of HIPAA is that it allows millions of American workers to transfer and continue their health insurance coverage if they lose their job or change jobs. Part of the intent of HIPAA is to reduce health care fraud and abuse. The Act requires mental health workers to manage protected health information so that it remains confidential at all times. The law also places mandates on the industry related to healthcare information.
The HIPAA laws are quite clear. Boards that fail to provide proper oversight may incur penalties and violations.
Which Types of Educational Institutions Must Comply With HIPAA?
HIPAA generally doesn’t apply to elementary or secondary schools, although protecting patient information falls under different laws and regulations for those institutions. Elementary and secondary schools may be considered covered entities, but because the definition refers only to students in records that fall under the legal definition of education records, patient data for students is covered under the Federal Educational Rights and Privacy Act, which is commonly known as FERPA. For this reason, elementary and secondary schools aren’t subject to the HIPAA Privacy Rule. This standard holds true even though such schools may utilize the services of school nurses, school psychologists, physicians or other healthcare providers because they don’t usually participate in HIPAA-covered transactions, such as filing claims under a student’s personal health plan.
There is a notable exception to schools under HIPAA, and that is if a high school employs a healthcare provider that sends bills electronically to Medicaid for services provided to a student under the IDEA, the school is a HIPAA-covered entity and would be subject to the HIPAA requirements concerning transactions. This is because the HIPAA Privacy Rule only applies to health plans, healthcare clearinghouses and healthcare providers that transmit health information electronically for covered transactions.
Why HIPAA Compliance Is Important for College Boards
Compliance with HIPAA regulations falls under the responsibility of college administration and management. At the same time, college boards of trustees are responsible for planning and oversight over management. Related to this responsibility, board trustees should have a basic understanding of what HIPAA entails as it relates to their students. In addition, college board trustees should have discussions with managers and administrators about how their procedures ensure compliance with HIPAA laws.
HIPAA compliance is a good topic for board trustee education and training. Better education on this topic will help board trustees ask better questions and get better answers about how their institution manages HIPAA compliance.
First, college board trustees should know the definition of protected health information, or PHI. PHI refers to any information that identifies a patient via their personal or health information. This information can be in verbal, written or electronic form. PHI refers to such information as name, address, Social Security number, photo, ZIP code, treatment date, employer, family information, health conditions or other notable characteristics.
Board trustees should look for assurance that the college’s health providers know and follow all HIPAA procedures.
In discussions with managers, board trustees should learn about how their staff use the Notice of Privacy Practices. This notice states how the college may use a student’s PHI and details the student’s rights. Colleges must provide the Notice of Privacy Practices to students at the time of their first contact with a college healthcare provider. Colleges must also post the Notice at the clinic and make it available on the college’s website. In addition, colleges should have a policy in place that requires patients to sign a form stating that the college provides them with the Notice of Privacy Practices.
College trustees should also be aware that if the school uses videotaping or audiotaping for patient observation as part of their training, they need to ask the patient to sign a consent form.
HIPAA is a complex law with many components, so it’s important that college trustees understand enough about HIPAA to prevent any undue legal problems. Here’s a list of additional points for college trustees to be aware of:
- Be aware of the types of incidents that can cause careless handling of PHI
- Know the college’s circumstances around sharing PHI
- Ensure that staff is following proper procedures for handling authorizations they receive from other entities
- Ensure that the staff has the proper training on HIPAA, and that they only disclose the minimum necessary information
- Trustees and staff should be familiar with the rules for using PHI in marketing efforts
- Trustees and staff should also be aware that they’re not allowed to use PHI to recruit patients or conduct research
- Staff is required to release patient records within 30 days upon request
- Trustees and staff should be aware that patients can restrict disclosures
- Staff should have a procedure in place to record disclosures of PHI
- Colleges should have a plan in place for notification in the event of a breach
- All patient records should be stored in a locked cabinet
- Staff should never send unencrypted or encrypted information that they wouldn’t place on a billboard
- Staff should refrain from leaving messages for patients and speak to them directly
- Staff should never, ever use PHI when anyone is within earshot
Board Management Software Assists Trustees With HIPAA Compliance
HIPAA compliance is a complex issue and one that comes with many legal ramifications. A board management software program such as BoardEffect’s can help board trustees document their efforts toward ensuring proper oversight of HIPAA procedures. The board portal digitizes agendas and meeting minutes in case the board’s actions are called into court. The program has a feature for action steps and automatic notifications so that trustees are sure to follow up on their duties.
In addition, BoardEffect helps board trustees track board development cycles, which could be used to demonstrate that board trustees have the proper training and education on HIPAA. With BoardEffect, it’s a rare situation where board trustees would fall prey to lax oversight.