12-3 HIPAA: Notice of Privacy Practices

• Attachments are included in the PDF file.
• Effective date of this revision: February 5, 2026.
• Contact for more information: Office of HIPAA Compliance 989-774-2829, hipaa@cmich.edu

Background

Central Michigan University (CMU) is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) law and regulations. CMU has designated itself as a hybrid entity as its business activities include both covered and non-covered functions. HIPAA requires that all CMU officers, employees and agents of units within the hybrid entity must preserve the confidentiality and integrity of Individually Identifiable Health Information (IIHI) pertaining to each patient, client, or participant in CMU’s self-funded health plan. This IIHI is considered Protected Health Information (PHI) and shall be safeguarded in compliance with the rules and standards established under HIPAA.

For additional information on the measures Central Michigan University has implemented to comply with this legislation, visit CMU’s official HIPAA website at HIPAA.cmich.edu.

Purpose

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its rules direct that a covered entity (CE) provide individuals with adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information. This policy issues CMU’s Notice of Privacy Practices and a Summary Notice of Privacy Practices for its Hybrid Entity.

Definitions

The terms used in this policy have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations at 45 CFR Parts 160, 162, and 164.

Policy

1. HIPAA Privacy Officer and General Counsel will develop or revise CMU’s Notice of Privacy Practice and ensure it includes the required contents of the HIPAA Notice of Privacy Practices standard.
2. CMU’s Notice of Privacy Practices will be made available on CMU’s Office of HIPAA Compliance webpage.
3. All units covered under CMU’s Hybrid Entity designation:
   • Must make CMU’s Notice available to any person who asks for it.
   • Must prominently post and make available CMU’s Notice on any website it maintains that provides information about its services or benefits.
   • May email the Notice to an individual if the individual agrees to receive an electronic notice.
   • May not use or disclose PHI in a manner inconsistent with its Notice.
4. The Health Plan will provide notice:
   • At the time of enrollment to new enrollees.
   • If there is a material change to the Notice:
     1. If the Health Plan posts the updated notice on the Health Plan’s website and makes the notice available electronically, the Health Plan will:
        • Prominently post the change or the revised notice on its website by the effective date of the material change; and
        • Provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals covered by the Plan.
   • If the Health Plan does not post its notice on its website, the Health Plan must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals who are then covered by the Plan within 60 days if any material revision to the notice.
   • At least every three years the Health Plan will notify individuals covered by the Health Plan of the availability of the Notice and how to obtain it.
5. For the Healthcare Components:
   • Healthcare providers within the hybrid entity will provide notice to new patients as follows:
     1. Upon the individual’s first visit.
     2. When the first service delivery to an individual is provided over the Internet, if the first service delivery to an individual is delivered electronically, the covered healthcare component must provide electronic notice automatically and contemporaneously in response to the individual’s first request for service.
     3. A healthcare component may provide the notice to an individual by email, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the healthcare component knows that the email transmission has failed, a paper copy of the notice must be provided to the individual. The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request.
     4. In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
     5. The healthcare provider will make a good faith effort to obtain from new patients written acknowledgement of receipt of the Notice, and, if not obtained, document is good faith efforts to obtain the acknowledgement and the reason why the acknowledgement was not obtained (for example, that the form was offered to the individual and that the individual declined to sign the acknowledgement.)
   • The healthcare provider will:
     1. Have the Notice available at the service delivery site (typically the reception desk) for individuals to request and take them.
     2. Post the Notice in the patient waiting area where individuals may read it.
   • Whenever the Notice is revised, post the revised Notice in the patient waiting area and make it available upon request on or after the effective date of the revision.
6. The attached Notice of Privacy Practices and the CE’s Summary Notices of Privacy Practices are hereby issued as the policy and procedure of CMU with regard to its obligations under HIPAA.

Central Michigan University reserves the right to make exceptions to modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines related to this subject.