Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health (HITECH)
Penn State is a hybrid entity; only parts of Penn State are subject to HIPAA and/or HITECH. HITECH applies to electronic health information and the dissemination thereof. The parts of Penn State that are regulated under HIPAA are referred to as Covered Components. The University has identified which of its specific units are Covered Components. Covered Components are specified as a health care provider, health plan, or health care clearinghouse who transmits health information in electronic form in connect with a covered transaction. For more information regarding whether or not your unit would meet the definition of a Covered Component under HIPAA, directly contact the Penn State HIPAA Compliance Team at hipaa@psu.edu. For additional details on Covered Component (Entity) status, please refer to U.S. Department of health and Human Services.
The University Privacy Officer, serves as the designated HIPAA Privacy Officer, responsible for coordinating compliance with specific standards of the HIPAA Privacy Rule.
The designated HIPAA Security Officer, is responsible for coordinating compliance with specific standards of the HIPAA Security Rule regulations, in regards to the protection of Electronic Protected Health Information (ePHI).
In addition, each identified Covered Component must participate in the ongoing compliance of HIPAA and must assign a staff member, within their unit, the responsibility of HIPAA compliance and regulatory implementation to include both the HIPAA Privacy and Security Rules.
Note: The Milton S. Hershey Medical Center and the Penn State College of Medicine have been joined together as an “Affiliated Covered Entity” and act as one for the purposes of HIPAA. The Hershey Medical Center has it’s own privacy officer and one set of materials and procedures used to comply with HIPAA. If faculty, staff, or students are participating in any activity that involves patient information from the Milton S. Hershey Medical Center, it will be necessary to follow the privacy and security policies of the medical center.
Reporting a Suspected Breach of PHI
Pursuant to the HIPAA Breach Notification Rule, an individual has a right to receive a written notice of their unsecured PHI has been breached while in the possession, custody or control of a Covered Component or vendor working with the Covered Component. If you suspect a breach of unsecured PHI has occurred, immediately report this to hipaa@psu.edu and/or security@psu.edu.
HIPAA Complaint Form
The Privacy Office is responsible for the implementation and administration of an institutionally based complaint process in compliance with the rules and regulations of HIPAA. Patient complains may be made directly to the Penn State Privacy Office or to the Office for Civil Rights if they believe their privacy rights have been violated.
To file a complaint with the Penn State Privacy Office, please print and complete the Health Information Privacy Complaint Form. Mail the completed form to:
HIPAA Privacy Officer
Penn State Privacy Office
025 Technology Support Building
300 Science Park Road
State College, PA 16803
You may also file a complaint directly with the Office for Civil Rights.
Please reference University Policy, AD22, HIPAA, or contact the Penn State HIPAA Compliance Team at hipaa@psu.edu, for additional guidance.