Back to Main Menu

12-1 HIPAA: Organization for Compliance

About CMU's "Organization for HIPAA compliance policy"

This policy establishes an organizational structure to ensure that CMU complies with the Health Insurance Portability and Accountability Act of 1996.

NOTE ABOUT PDF VERSION: The PDF is the official text of the policy. If there are any incongruities between the text of the HTML version and the text within the PDF file, the PDF will be considered accurate and overriding.

  1. Effective date of this revision: June 27, 2025
  2. Contact for more information: Office of HIPAA Compliance, 989-774-2829, hipaa@cmich.edu

BACKGROUND

Central Michigan University (CMU) is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) law and regulations. CMU has designated itself as a hybrid entity as its business activities include both covered and non-covered functions. HIPAA requires that all CMU officers, employees and agents of units within the hybrid entity must preserve the confidentiality and integrity of Individually Identifiable Health Information (IIHI) pertaining to each patient, client, or participant in CMU’s self-funded health plan. This IIHI is considered Protected Health Information (PHI) and shall be safeguarded in compliance with the rules and standards established under HIPAA.

For additional information on the measures Central Michigan University has implemented to comply with this legislation, visit CMU’s official HIPAA website at HIPAA.cmich.edu.

PURPOSE

This policy establishes a formal HIPAA governance structure for CMU’s HIPAA Compliance Program and its activities under the Health Insurance Portability and Accountability Act of 1996.

DEFINITIONS

The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.

POLICY

  1. HIPAA Privacy Officer. The president shall appoint a HIPAA Privacy Officer who shall be the designated official with centralized authority for HIPAA compliance and administration whose responsibilities are listed below. The HIPAA Privacy Officer shall have a dual reporting line. The HIPAA Privacy Officer shall report to the CMU President for strategic and operational guidance. The HIPAA Privacy Officer shall also be supervised by the Executive Vice President for Health Affairs.
    1. Responsibilities:
      1. Provides a coordinated university wide oversight of compliance with HIPAA, assuring that policies and procedures required to meet regulatory guidelines are developed and implemented in a timely manner.
      2. Serves as HIPAA Privacy Officer for CMU’s Hybrid Entity; assures that applicable CMU units are kept informed about HIPAA requirements and developments.
      3. Serves as chair of the HIPAA Council; assures that responsibilities of this council are coordinated so that persons best suited to complete tasks in each situation are assigned to those tasks; in cases of disagreement, makes decisions as to which representative and/or council subcommittee (in the case of sub-committee creations) shall be primarily responsible for certain tasks.
      4. Oversees privacy and security compliance activities, working closely with HIPAA Representatives, HIPAA Council members, HIPAA Security Officer, and HIPAA Executive Steering Committee.
      5. Signs off on all HIPAA related policy and procedure statements, including those which are specific to only one component of the CMU Hybrid Entity.
      6. With the assistance of the Office of General Counsel,
        1. Provides guidance and assists in the identification, development, implementation and maintenance of uniform CMU HIPAA privacy and security policies and procedures.
        2. Prepares uniform business associate agreements for outside vendors; develops the standard Notice of Privacy Practices to be used by each component of the Hybrid Entity.
        3. Identifies designee, or serves as member of, or liaison to, CMU’s Institutional Review Board (IRB). Also serves as the information privacy liaison for users of clinical and administrative systems.
        4. Maintains and applies current knowledge of applicable federal and state privacy laws and accreditation standards.
        5. Serves as primary contact between the Office of Civil Rights, or other legal entities, and CMU officials in any compliance reviews or investigations for HIPAA related matters.
        6. Establishes and administers a process for receiving, documenting, tracking, investigating and taking action on all complaints and reports of possible violations concerning CMU’s HIPAA privacy policies and procedures.
          1. Assures that CMU has effective policies and procedures for protecting individuals from retaliation for exercising their rights under HIPAA.
        7. Assures consistent application of sanctions for failure to comply with privacy policies for all individuals in CMU’s workforce and for all business associates, in accordance with applicable CMU policies and procedures.
        8. Develops and implements a schedule for regular review of HIPAA policies and procedures and also assures revisions to policies and procedures on an as needed basis.
        9. Develops, implements, coordinates and prepares all required reports for the HIPAA Executive Steering Committee’s annual evaluation of the HIPAA program.
        10. Collaborates with the Associate Vice President of Human Resource and Director of Benefits and Wellness to assure that all human resource related contracts applicable to HIPAA, have Business Associate Agreements established and are maintained in a centralized location within the CMU department of Human Resource Department.
        11. Collaborates with the Director of Contracting and Purchasing and the applicable units to assure Business Associate Agreements are established by the Hybrid Entity and are also maintained in a centralized location within the CMU department of Contracting and Purchasing.
        12. Supervisory and oversight responsibility for the HIPAA Coordinator.
    2. HIPAA Executive Steering Committee.  The President shall appoint the members of the HIPAA Executive Steering Committee whose responsibilities are listed below.
      1. Composition:
        1. Executive Vice President/Provost (Chair)
        2. Executive Vice President Health Affairs/Dean of College of Medicine (Vice-Chair)
        3. Vice President and General Counsel
        4. Vice President for Research/Dean of Graduate Studies
        5. Vice President for Information Technology/Chief Information Officer
        6. Dean of The Herbert H. and Grace A. Dow College of Health Professions
        7. Director of Internal Audit (Ex-officio, non-voting)
      2. Responsibilities:
        1. Provides executive level oversight of the HIPAA program through a formal annual evaluation process, developed in coordination with the HIPAA Privacy Officer.
        2. Provides a consultant and leadership role to the HIPAA Privacy Officer in order to assure that he/she is able to carry out the duties of the HIPAA Privacy Officer including but not limited to the appropriate enforcement of HIPAA policies and procedures.
    3. HIPAA Representatives. There shall be HIPAA Representatives that are responsible for serving as the appointees for their respective units that have been identified as a unit or department of the CMU HIPAA Hybrid entity. With the concurrence of the HIPAA Privacy Officer and HIPAA Executive Steering Committee, the appropriate Vice President or College Dean shall appoint its HIPAA Representative.
      1. Responsibilities:
        1. Works directly with the HIPAA Privacy Officer on matters related to HIPAA on an immediate, ongoing, and as needed basis, including the assurance of timely reporting of breach incidents.
        2. Assures implementation and compliance with HIPAA policies and procedures within their units.
        3. Establishes process and site-specific training for all staff within the unit who have access to PHI.
        4. Assures Business Associate Agreements (BAA) are established with all vendors to their units who are covered by HIPAA regulations, reviews language of the BAA with the HIPAA Privacy Officer and assures original BAA is maintained in the CMU department of Contracting and Purchasing.
        5. Assures that the HIPAA Notice of Privacy Practices are available, posted, and communicated as required by HIPAA.
        6. Oversees patient rights to inspect, request to amend, and restrict access to protected health information.
        7. Assures that practices are in place to mitigate harmful effects of use or disclosure of protected health information in violation of CMU policies and procedures or requirements of law.
        8. Serves on the HIPAA Council.
    4. HIPAA Coordinator. The HIPAA Coordinator shall be appointed by and report directly to the HIPAA Privacy Officer.
      1. Responsibilities:
        1. Oversees, directs and delivers or ensures delivery of HIPAA training and orientation.
        2. Oversees the maintenance of the HIPAA website and any HIPAA on-line training, coordinating with Information Technology and General Counsel.
        3. Provides oversight of distribution of information about HIPAA and compliance requirements to employees, students, volunteers and others within the CMU community.
        4. Initiates, facilitates and promotes activities to foster HIPAA awareness within CMU.
        5. Maintains records of training completed by CMU workforce members within the CMU hybrid entity.
        6. Provides secretarial duties to the HIPAA Privacy Officer and HIPAA councils/committees.
    5. HIPAA Security Officer. The HIPAA Privacy Officer and the Vice President for Information Technology/Chief Information Officer will agree upon a person on to be appointed HIPAA Security Officer.
      1. Responsibilities:
        1. Reviews all system-related information security plans throughout CMU’s network to ensure alignment between security and privacy practices.
        2. Assures compliance with electronic transaction standards.
        3. Acts as liaison to the Office of Information Technology.
        4. Monitors advancements in information privacy technologies to ensure CMU adaptation and compliance.
        5. Coordinates establishment of systems, policies and procedures to comply with the HIPAA Security Rule.
        6. Serves on the HIPAA Council.
    6. HIPAA Council
      1. Composition:
        1. HIPAA Privacy Officer (chair)
        2. HIPAA Security Officer
        3. HIPAA Coordinator
        4. HIPAA Representative for each unit and/or clinical discipline of the Hybrid Entity
        5. Director of Risk Management
        6. Ad hoc as needed:
          1. Units/departments within the non-healthcare components of the Hybrid Entity
          2. HIPAA Executive Steering Committee members
          3. Others may be asked to join as appropriate
      2. Meetings:
        1. Quarterly, minimum 4 times per year, and at call of the Chair. (HIPAA Executive Steering Committee members shall attend the regular quarterly meetings as desired or as requested by the HIPAA Privacy Officer).
      3. Responsibilities:
        1. Serves as an active participant on the Council for conducting and documenting the ongoing HIPAA Risk Assessment, Risk Management, and corrective action activities.
          1. Participates in ongoing and periodic review to assure that University has appropriate administrative, technical, and physical safeguards in place to effectively safeguard Protected Health Information.
        2. Works directly with the HIPAA Privacy Officer on matters related to HIPAA on an immediate, ongoing, and as needed basis and assures that HIPAA incidents are reported on a timely manner.
        3. Develops and provides an annual report of HIPAA related activities to be presented to the HIPAA Executive Committee and the President. The HIPAA related activities in the annual report shall include but not limited to, HIPAA technical and non-technical risk assessment and risk management activities, HIPAA breaches, and changes in CMU environment or healthcare operations that results in a change to the healthcare components of CMU’s Hybrid Entity designation.
        4. Assures communication among all units of the University involved with HIPAA compliance; promoting university-wide personal responsibility and behaviors to ensure the privacy, security, and integrity of all sensitive information.
        5. Engages in problem solving where broad input is needed.
        6. Assures consistency in HIPAA related policies and procedures among components of hybrid covered entity.
        7. Provides feedback on the successes and challenges of communication of HIPAA goals and rules to the campus at large.
        8. Designates sub-committees as necessary.

Central Michigan University reserves the right to make exceptions to modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines related to this subject.