2.9 Policies, Rules and Regulations

Printable Version

Effective Date:

11-01-16

Revision Date:

University Policy Statement

The privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is of paramount importance to Eastern Michigan University (EMU). 

The HIPAA regulates health care providers (Covered Entities) that electronically maintain or transmit PHI in connection with a covered transaction.  HIPAA requires a Covered Entity to maintain administrative, technical, and physical safeguards for privacy and security of PHI, to appropriately train employees on these safeguards, to regularly notify patients of the entity's privacy practices, and to have clear processes for receiving complaints involving privacy, or acting on any potential breach of privacy.  Entities or individuals who contract to perform services for a Covered Entity with access to PHI (Business Associates) must also comply with the HIPAA privacy and security standards by signing a Business Associate Agreement with the Covered Entity. 

Four units within EMU comprise a "Hybrid Covered Entity" pursuant to HIPAA because each of these units meets the definition of a Covered Entity under the statute.  The units within EMU's Hybrid Covered Entity are as follows: 

  • University Health Services,
  • Human Resources-Benefits,
  • Counseling and Psychological Services (CAPS), and
  • Autism Collaborative Center.

Each of these units shall be subject to HIPAA's policies and procedures as articulated above. 

This policy establishes an EMU Privacy Committee and the role of HIPAA Privacy Director.  EMU's Privacy Committee, led by its HIPAA Privacy Director, shall establish and issue HIPAA administrative policies and procedures to ensure EMU's full compliance with HIPAA, and shall amend such policies and procedures as appropriate.

University Practice

HIPAA Privacy Director and Privacy Committee

HIPAA Compliance at EMU shall be regulated and enforced by a HIPAA Privacy Director, assisted by a Privacy Committee and the Legal Affairs Office.  EMU's HIPAA Privacy Director shall be appointed by the President of the University to assume responsibility for developing, implementing, maintaining, and monitoring adherence to the EMU's HIPAA privacy policies and procedures, and for monitoring compliance with required training for the EMU Hybrid Covered Entity.  This individual will also be responsible for receiving complaints related to HIPAA privacy issues regarding EMU's Hybrid Covered Entity, and for receiving notice of any potential breach of privacy within the Hybrid Covered Entity.

Business Associate Agreements

Each unit comprising the EMU Hybrid Covered Entity shall enter into a written Business Associate Agreement, as required by HIPAA, with any person or entity that creates, receives, maintains, or transmits PHI on behalf of the EMU hybrid covered entity.  Accordingly, the Privacy Committee, led by the HIPAA Privacy Director, shall establish and issue policies and standards for implementing contract provisions related to those individuals and organizations identified as Business Associates that may provide treatment, payment, or healthcare operations services to a unit within the EMU Hybrid Covered Entity. 

Notice of Privacy Practices

Each unit comprising EMU's Hybrid Covered Entity shall issue a Notice of Privacy Practices, informing patients of the Covered Entity's legal duties and practices with respect to PHI, including notification following a breach of unsecured PHI.  Each such unit shall also have a process by which any person can make a complaint regarding EMU's privacy policies, procedures, and/or practices. The Privacy Committee, led by the HIPAA Privacy Director, shall develop administrative policies and practices governing the issuance of all such notices.  The HIPAA Privacy Director will also act as a point of contact for those who wish to learn more about any Notice of Privacy Practices document issued by a unit within EMU's Hybrid Covered Entity.

Responsibility for Implementation

The President shall delegate to the EMU Privacy Committee, as led by its HIPAA Privacy Director, the responsibilities articulated above.

Scope of Policy Coverage

This policy shall apply to the entire University community - faculty, staff, visitors, patients and clients.

Authority for Creation and Revision


Minutes of the Board of Regents, November 1, 2016


University Policy Statement

The privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is of paramount importance to Eastern Michigan University (EMU). 

The HIPAA regulates health care providers (Covered Entities) that electronically maintain or transmit PHI in connection with a covered transaction.  HIPAA requires a Covered Entity to maintain administrative, technical, and physical safeguards for privacy and security of PHI, to appropriately train employees on these safeguards, to regularly notify patients of the entity's privacy practices, and to have clear processes for receiving complaints involving privacy, or acting on any potential breach of privacy.  Entities or individuals who contract to perform services for a Covered Entity with access to PHI (Business Associates) must also comply with the HIPAA privacy and security standards by signing a Business Associate Agreement with the Covered Entity. 

Four units within EMU comprise a "Hybrid Covered Entity" pursuant to HIPAA because each of these units meets the definition of a Covered Entity under the statute.  The units within EMU's Hybrid Covered Entity are as follows: 

  • University Health Services,
  • Human Resources-Benefits,
  • Counseling and Psychological Services (CAPS), and
  • Autism Collaborative Center.

Each of these units shall be subject to HIPAA's policies and procedures as articulated above. 

This policy establishes an EMU Privacy Committee and the role of HIPAA Privacy Director.  EMU's Privacy Committee, led by its HIPAA Privacy Director, shall establish and issue HIPAA administrative policies and procedures to ensure EMU's full compliance with HIPAA, and shall amend such policies and procedures as appropriate.

University Practice

HIPAA Privacy Director and Privacy Committee

HIPAA Compliance at EMU shall be regulated and enforced by a HIPAA Privacy Director, assisted by a Privacy Committee and the Legal Affairs Office.  EMU's HIPAA Privacy Director shall be appointed by the President of the University to assume responsibility for developing, implementing, maintaining, and monitoring adherence to the EMU's HIPAA privacy policies and procedures, and for monitoring compliance with required training for the EMU Hybrid Covered Entity.  This individual will also be responsible for receiving complaints related to HIPAA privacy issues regarding EMU's Hybrid Covered Entity, and for receiving notice of any potential breach of privacy within the Hybrid Covered Entity.

Business Associate Agreements

Each unit comprising the EMU Hybrid Covered Entity shall enter into a written Business Associate Agreement, as required by HIPAA, with any person or entity that creates, receives, maintains, or transmits PHI on behalf of the EMU hybrid covered entity.  Accordingly, the Privacy Committee, led by the HIPAA Privacy Director, shall establish and issue policies and standards for implementing contract provisions related to those individuals and organizations identified as Business Associates that may provide treatment, payment, or healthcare operations services to a unit within the EMU Hybrid Covered Entity. 

Notice of Privacy Practices

Each unit comprising EMU's Hybrid Covered Entity shall issue a Notice of Privacy Practices, informing patients of the Covered Entity's legal duties and practices with respect to PHI, including notification following a breach of unsecured PHI.  Each such unit shall also have a process by which any person can make a complaint regarding EMU's privacy policies, procedures, and/or practices. The Privacy Committee, led by the HIPAA Privacy Director, shall develop administrative policies and practices governing the issuance of all such notices.  The HIPAA Privacy Director will also act as a point of contact for those who wish to learn more about any Notice of Privacy Practices document issued by a unit within EMU's Hybrid Covered Entity.

Responsibility for Implementation

The President shall delegate to the EMU Privacy Committee, as led by its HIPAA Privacy Director, the responsibilities articulated above.

Scope of Policy Coverage

This policy shall apply to the entire University community - faculty, staff, visitors, patients and clients.