HIPAA - Procedures for the Protection of Private Healthcare Information


  1. Business Associate (BA):  Any person or entity, other than a member of the SPSCC workforce, who performs services for or on behalf of the clinic involving the use or disclosure of PHI, such as billing, information technology, quality control assessments, document destruction, and legal services.
  2. Protected Health Information (PHI):  Health information that identifies an individual, or with respect to which there is a reasonable basis to believe the information can be used to identify an individual, and that is transmitted or maintained electronically or in any other form or medium.

The following is not PHI:  Educational records; student medical records; employment records; health information generated in the Radiography and Preclinical Laboratories separate from the Dental Clinic.

  1. SPSCC Workforce Members:  Workforce members include SPSCC faculty, staff, and volunteers in the dental department.  Employees in IT, the business office, Instruction, Facilities, and Security that are assigned to work with or in the dental department who may potentially handle PHI are members as well. Students in the dental assisting program and student externs from the Pierce College Dental Hygiene program are also considered part of this group.
  2. Dental Workforce Members:  Staff, faculty, students, and volunteers in the dental department and clinic.

These procedures address the confidentiality and safeguarding of individually identifiable health information transmitted or maintained in any form or medium by South Puget Sound Community College in accordance with the Health Information Portability and Accountability Act (HIPAA).


South Puget Sound Community College is designated as a hybrid entity, meaning it conducts both covered and non-covered functions.  The Campus Dental Clinic located within the dental assisting program (hereinafter “Dental Clinic”) is the healthcare component that generates PHI.  The college’s business office and Information Technology (IT) department are considered to be part of the healthcare component to the extent they perform functions that support the Dental Clinic.  The business office and IT department must comply with HIPAA to the extent they create, receive, maintain, or transmit PHI on behalf of the Dental Clinic. 


Risk Manager (RM): The Vice President for Finance and Operations

  1. Receives and investigates complaints
  2. Oversees monitoring, auditing, and compliance practices college-wide
  3. Ensures SPSCC Workforce Members outside of the dental department and IT department are compliant
  4. Receives and assesses potential breaches and carries out notification procedure when appropriate
  5. Serves as liaison with the Attorney General’s office

Privacy Officer (PO): The Director of Dental Assisting

  1. Develops and implements policies and procedures for the Dental Clinic related to federal and state privacy laws and regulations.
  2. Audits and monitors practices to ensure the Dental Workforce Members are compliant.
  3. Assists Risk Manager in investigating complaints
  4. Provides information about matters covered by the Notice of Privacy Practices.
  5. Serves as the contact point for patients who wish to exercise their privacy rights.
  6. Ensures Dental workforce members are educated about their responsibilities related to federal and state privacy laws and regulations
  7. Maintains records in accordance with state and federal requirements.
  8. Monitors regulatory developments and recommends program modifications as needed

Security Officer (SO): The Executive Technology Officer

  1. Ensures information systems are compliant with HIPAA security requirements
  2. Ensures IT workforce members are compliant with HIPAA
  3. Assists Risk Manager in investigating complaints


All employees expected to handle Protected Health Information will receive HIPAA training upon hire and thereafter refresher training on an annual basis.  The RM, PO, and SO will determine appropriate training procedures for their respective areas.


Any privacy inquires and complaints shall be directed to the RM, PO, and SO.


The Dental Clinic is required to enter agreements governing the PHI with any Business Associates.  The RM must agree to the terms of an agreement before any PHI is disclosed to a Business Associate.


A breach is the unauthorized acquisition, access, use, or disclosure of PHI.  All SPSCC workforce members are required to notify either the PO, SO, or the RM of any known or suspected breaches.  The PO and SO will notify the RM of any breaches other than those with a low probability of compromise.


Documentation required by HIPAA will be retained for a minimum of six (6) years from the date of its creation or the date when it was last in effect, whichever is later.  Records related to minors are maintained for at least ten (10) years, or no less than three (3) years following the patient’s eighteenth birthday.