These procedures address the confidentiality and safeguarding of individually identifiable health information transmitted or maintained in any form or medium by South Puget Sound Community College in accordance with the Health Information Portability and Accountability Act (HIPAA).
DESIGNATED ENTITIES
South Puget Sound Community College is designated as a hybrid entity, meaning it conducts both covered and non-covered functions. The Campus Dental Clinic located within the dental assisting program (hereinafter “Dental Clinic”) is the healthcare component that generates PHI. The college’s business office and Information Technology (IT) department are considered to be part of the healthcare component to the extent they perform functions that support the Dental Clinic. The business office and IT department must comply with HIPAA to the extent they create, receive, maintain, or transmit PHI on behalf of the Dental Clinic.
DESIGNATED PRIVACY AND SECURITY OFFICERS
Risk Manager (RM): The Vice President for Finance and Operations
- Receives and investigates complaints
- Oversees monitoring, auditing, and compliance practices college-wide
- Ensures SPSCC Workforce Members outside of the dental department and IT department are compliant
- Receives and assesses potential breaches and carries out notification procedure when appropriate
- Serves as liaison with the Attorney General’s office
Privacy Officer (PO): The Director of Dental Assisting
- Develops and implements policies and procedures for the Dental Clinic related to federal and state privacy laws and regulations.
- Audits and monitors practices to ensure the Dental Workforce Members are compliant.
- Assists Risk Manager in investigating complaints
- Provides information about matters covered by the Notice of Privacy Practices.
- Serves as the contact point for patients who wish to exercise their privacy rights.
- Ensures Dental workforce members are educated about their responsibilities related to federal and state privacy laws and regulations
- Maintains records in accordance with state and federal requirements.
- Monitors regulatory developments and recommends program modifications as needed
Security Officer (SO): The Executive Technology Officer
- Ensures information systems are compliant with HIPAA security requirements
- Ensures IT workforce members are compliant with HIPAA
- Assists Risk Manager in investigating complaints
EMPLOYEE EDUCATION AND TRAINING
All employees expected to handle Protected Health Information will receive HIPAA training upon hire and thereafter refresher training on an annual basis. The RM, PO, and SO will determine appropriate training procedures for their respective areas.
PRIVACY INQUIRES AND COMPLAINTS
Any privacy inquires and complaints shall be directed to the RM, PO, and SO.
BUSINESS ASSOCIATES
The Dental Clinic is required to enter agreements governing the PHI with any Business Associates. The RM must agree to the terms of an agreement before any PHI is disclosed to a Business Associate.
BREACHES
A breach is the unauthorized acquisition, access, use, or disclosure of PHI. All SPSCC workforce members are required to notify either the PO, SO, or the RM of any known or suspected breaches. The PO and SO will notify the RM of any breaches other than those with a low probability of compromise.
RECORDS RETENTION
Documentation required by HIPAA will be retained for a minimum of six (6) years from the date of its creation or the date when it was last in effect, whichever is later. Records related to minors are maintained for at least ten (10) years, or no less than three (3) years following the patient’s eighteenth birthday.