HIPAA Security & Privacy Oversight

As of June 1, 2013, Regis University became compliant under the Health Insurance Portability and Accountability Act (HIPAA), which was passed by Congress in 1996. The HIPAA regulations were developed to reduce health care fraud and abuse, to provide transferability of health insurance coverage, to mandate standards for electronic billing processes, and to protect confidential health information.

The HIPAA Privacy regulations require that health care providers and organizations, as well as their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.

Because student privacy is protected by FERPA regulations, we were not subject to HIPAA regulations until recently when patients other than students began to be seen in various care areas around campus (Regis Cares Clinic, CPS Counseling, claims information in Human Resources, etc.). We have now established HIPAA-compliant policies and procedures for the University. These new policies also enable us to negotiate Business Associate Agreements with researchers, vendors, and other contractors, which we were not able to do prior to complying with the regulations.

As part of our policies, Regis is required to develop an information technology “secure HIPAA footprint” to store confidential information and control access to protected health information, and to designate oversight for the entire process. Sheila Carlon and Susan Layton have been designated as the HIPAA Privacy Officers and Chuck Steigerwalt has been designated as the HIPAA Security Officer.

Other requirements of the regulations include workforce training and periodic training updates, so watch for scheduled training notices throughout the summer and early fall or contact Sheila Carlon at 303.458.4108 or Susan Layton at 303.458.4391 to schedule training or obtain additional information.

The primary function of Regis University is to educate men and women of all ages at the graduate and undergraduate level. In the course of providing educational and research learning experiences to Regis University health care students and staff, certain departments and programs may include activities that fit the definition of the activities of a covered entity and involve the use and handling of PHI and ePHI. When organizations have some healthcare components and some non-healthcare components, the entire organization is subject to HIPAA unless it declares itself to be a "hybrid entity." As allowed by 45CFR164.103 and 45CFR164.105(a)(2)(iii)(C), Regis University is designating itself as a “Hybrid Entity” for the purposes of HIPAA compliance.

Designation of covered components

The Regis University components covered under the designation of hybrid entity is limited to the following: In the College for Professional Studies, the following programs are covered:

  • M.A. Counseling
  • M.A. Marriage and Family Therapy
In the Rueckert-Hartman College for Health Professions, the following programs are covered:
  • Division of Health Services Administration
  • Loretto Heights School of Nursing
  • School of Pharmacy
  • School of Physical Therapy
  • Clinical Care Areas

Compliance requirements for designated hybrid entity components

It is the responsibility of the chairperson of any department or program that is not listed above to notify the Regis University HIPAA Privacy & Security Committee if any of its students, staff or faculty are:

  • Signatory to a Business Associate Agreement or other Data Use Agreements that covers a Regis University-sponsored program, project or activity;
  • A participant in a Regis University-sponsored program, project or activity covered by a Business Associate Agreement or other Data Use Agreements, or
  • A participant in a Regis University-sponsored program, project or activity that involves the use, access or handling of PHI or ePHI as defined in HIPAA that is not covered by a Business Associate Agreement or other Data Use Agreements.
Departments and programs identified as a hybrid entity component are required to follow the applicable requirements of the HIPAA Privacy & Security Rules in accordance with the University's HIPAA policies and procedures. It is the policy of Regis University to:
  • Ensure the security and confidentiality of PHI and ePHI as covered by HIPAA 45 CFR Parts 160 and 164;
  • Protect against any anticipated threats or hazards to the security or integrity of such information, and
  • Protect against unauthorized access, use or disclosure of such information.
If other departments need to access protected health information in the course of providing support to a covered component, the covered component is responsible for ensuring the appropriate HIPAA training has been completed by the personnel that will be accessing the protected health information.

If a third-party has access to the PHI or ePHI under the control of a Regis University covered component, that third part must agree in writing to comply with the applicable HIPAA privacy and security requirements.

Reporting requirements in the event of a suspected breach

In the event that any Regis University staff, faculty or student becomes aware of the unauthorized use or disclosure of PHI or ePHI that is under the control and protection of Regis University, the incident must be reported within 5 days of discovery to:

Sheila Carlon, HSA Division Director
Regis University
3333 Regis Blvd.
Denver, CO 80221
303 458 4108

With a copy to:
Susan Layton,
Associate Vice President
Regis University
3333 Regis Blvd.
Denver, CO 80221

Policy compliance and sanctions

Systems, resources, user activities and processes will be monitored to verify proper operation of the university’s HIPAA privacy and security practices. All violations of the Regis University HIPAA information security program, its policies and associated practices shall be reported to the Regis University HIPAA Privacy & Security Committee.

Serious or repeat violations will, when appropriate, be reported to the Human Resources Department or Legal Department for follow-up.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and subsequent revisions including the HITECH Act requires that all health care records and other individually identifiable health information (PHI) used or disclosed to us in any form be kept confidential and secure. This federal law provides you, the patient or employee, with significant rights to understand, control and have access to your health information and includes penalties for any misuse of that information.

During the process of process of providing services to you via the Regis Health Plan, Counseling Services, Regis Cares PT Clinic or other entity, confidential information (mental health, medical information, etc.) will be gathered and stored for uses described within this notice and will not be disclosed without your consent except for the circumstances described in this Notice.

1. Uses and disclosures of protected information

Specific written authorization is not required for the purposes of treatment, payment and health care operations as defined below:

1.1 Treatment: Refers to the provision, coordination or management of mental health, medical care and any treatment plan processes. Those involved in treating an individual may use your information to plan your course of treatment, consult with other health care professionals or their staff including health care students concerning services needed or provided to you.

1.2 Payment: Payment refers to the activities undertaken by a health care provider/plan to obtain or seek reimbursement for health care services which may involve disclosures to insurance companies or to third party billers for assistance in obtaining payment.

1.3 Health Care Operations: Health care operations refers to activities undertaken by an entity that may include access to information for management and administrative purposes, quality assurance, medical and/or legal reviews, audits, compliance, business planning, accreditation or credentialing activities.

2. Disclosures required by law

Regis University will disclose protected health information when required by law. This includes but is not limited to:

2.1 Reporting child abuse or neglect to the Department of HHS and/or law enforcement

2.2 When court ordered to release information

2.3 When there is a legal duty to warn of a threat from a client of imminent physical violence, if a client is a danger to self or others, or is gravely disabled, or

2.4 When required to report a threat to the national security of the U.S.

3. Other uses

3.1 Protected health information concerning you may be used with your permission for research purposes if the relevant provisions of the Federal HIPAA privacy regulations are followed.

3.2 Protected health information and compliance documents may be used with your permission to arrange clinical site placement.

4. Your rights

4.1 Access to Protected Health Information: You have the right to receive copies of your health information by contacted the service provider directly and completing the appropriate request.

4.2 Amendment of Records: You have the right to request an amendment to your health record if you believe information to be inaccurate or incomplete by contacting the service provider directly.

4.3 Disclosures: You have the right to request an accounting of disclosures of your records by contacting the health provider directly and completing the appropriate request form.

4.4 Report Privacy Violations: If you feel that your health information or privacy has been compromised (either electronically or verbally), you may send a written complaint to the US Department of Health and Human Services at the address below and/or contact the Regis University Privacy Officers listed below.

US Department of Health & Human Services
Office of Civil Rights
200 Independence Avenue, SW
Washington, D.C., 20201
Phone: 877.696.6775 (Toll Free)

Regis University Privacy Officers:
Susan Layton (slayton@regis.edu)
Sheila Carlon (scarlon@regis.edu)

Report an incident that involves a possible breach of privacy of protected health information. All reports are investigated by the Privacy Officers of Regis University.