Austin Community College is required by law to protect the privacy of protected health information (PHI). Protected health information is individually identifiable health information created or received by a health care provider, health plan, employer, school or university, or health care clearinghouse that relates to past, present, or future physical or mental health or condition. It also includes any information related to health care provided to an individual currently, in the past or planned for in the future, and any payments for health care services past, present, or future. This information is protected from unauthorized release if there is a reasonable basis to believe the information can be used to identify the individual. ACC is required by the Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to maintain the privacy of protected health information.
Covered Entities
All covered entities will make reasonable efforts to limit the use and disclosure of PHI to the minimum extent necessary to accomplish the use or disclosure’s purpose.
Covered entities will provide all patients with a Notice of Privacy Practice outlining the patient’s rights regarding:
- Access to PHI
- Disclosures of PHI
- Complaint Process
Uses and Disclosures of PHI
ACC will not use or disclose an individual’s PHI except as described in the Notice of Privacy Practice
Accounting of Disclosures
ACC covered entities have an obligation to maintain (and patients have the right to request) an “accounting of disclosures” made by the covered entity to anyone outside of that Department since April 14, 2003, or during the preceding six years, whichever period is shorter. The “accounting” will include:
- The date of each disclosure;
- The name of the person or organization that received the PHI;
- A brief description of the PHI disclosed;
- A brief statement explaining the purpose of each disclosure;
- If multiple disclosures are made to the same person/organization, a summary of the disclosures may be developed that details the frequency and number of disclosures in the series, to include the last disclosure date in the series.
ACC HIPAA Components will retain the following documentation, in either written or electronic form, for six (6) years
- Written requests for an accounting of disclosures of PHI;
- Accounting of disclosures that have been provided to the individual or his or her personal representative, including the titles of persons and offices responsible for receiving the request for accounting;
- Copies of any notices requesting a time extension to prepare an accounting of disclosure of PHI;
- Copies of any notices advising that a fee may be charged for providing an accounting of disclosures of PHI.
Business Associates
Faculty, students, and employees will receive training and adhere to the HIPAA polices outlined in the HIPAA Training Module. They will also adhere to any individual health care facility policy/procedure not addressed in this document. Students may not remove PHI from a Business Associate facility. However, they may use de-identified PHI for educational purposes.
Programs may receive donated de-identified information from outside sources. The program receiving the item/s will assign an “identification” number to each item. The program will maintain a log of each item and a list of each course using that item. Donated de-identified information may not be transferred to any external entity.
Non-Business Associates
Each covered department will designate those employees who need access to PHI to carry out their duties and shall designate the level of access needed by each employee. Faculty and employees will receive training and adhere to the HIPAA policies outlined in the HIPAA Training Module.
Back to Top