Skip to Content
Policy and Procedure Statements

UPPS 01.04.34 - HIPAA Privacy Compliance Program

HIPAA Privacy Compliance Program

UPPS No. 01.04.34
Issue No. 1
Effective Date: 1/09/2026
Next Review Date: 4/01/2031 (E5Y)
Sr. Reviewer: Chief Information Security Officer and HIPAA Security Officer

POLICY STATEMENT

Texas State University is committed to maintaining compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule.

  1. SCOPE

    1. This policy establishes a Health Insurance Portability and Accountability Act (HIPAA) privacy compliance program and demonstrates Texas State University’s intent to comply with HIPAA. The HIPAA privacy compliance program will guide Texas State Health Care Components (HCCs) in protecting protected health information (PHI) and demonstrate its compliance with applicable requirements.

    2. This policy establishes standards intended to align with state and federal law as well as best practices.

    3. Responsible parties for maintaining a compliance program include the HIPAA Privacy Officer (HPO), the HIPAA Security Officer (HSO), and departmental custodians.

    4. Individually identifiable health information in an education record belonging to a Texas State student will be accessed, used, and disclosed according to UPPS No. 01.04.31, Access to Student Records Pursuant to the Family Educational Rights and Privacy Act of 1974. Education records are excluded from the definition of PHI.

    5. The following are related documents:

      1. UPPS No. 01.04.33, HIPAA Hybrid Designation – designates Texas State as a hybrid entity under HIPAA;

      2. UPPS No. 04.01.01, Security of Texas State Information Resources; and

      3. UPPS No. 04.01.11, Risk Management of Information Resources.

  2. DEFINITIONS

    1. Business Associate (BA) – a person or entity that creates, receives, maintains, or transmits PHI on behalf of a HIPAA covered entity or another BA.

    2. Business Associate Agreement (BAA) – a legally binding contract between healthcare providers and entities that access, use, transmit, or store PHI as part of the provided services. It is a written arrangement that specifies each party’s responsibilities when it comes to PHI.

    3. Covered Entity – includes a health plan, health care clearinghouse, or a health care provider who transmits PHI in electronic form in connection with a HIPAA covered transaction. If a health care provider uses another entity (such as a clearinghouse) to conduct covered transactions in electronic form on its behalf, the health care provider is considered to be conducting the transaction in electronic form.

    4. Covered Transaction – the electronic transmission of information between two parties to carry out financial or administrative activities related to healthcare, as listed in 45 CFR §164.103.

    5. Data Use Agreement (DUA) – an agreement that is required under the HIPAA Privacy Rule and must be entered into before there is any use or disclosure of a limited data set to an outside institution or party and only used for the purposes of research, public health, or health care operations.

    6. De-Identified Health Information – health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

    7. Department of Health and Human Services (DHHS) – a cabinet-level executive branch department of the United States federal government created to protect the health of the United States’ people and provide essential human services.

    8. Education Record – records directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution.

    9. Eligible Student – a student who has reached 18 years of age or is attending an institution of postsecondary education. Also referred to as “patient.”

    10. Health Care Component (HCC) – any component (college, school, institute, center, department, office, or unit) of Texas State which would meet the definition of a covered entity or BA if it were a separate legal entity.

    11. Hybrid Entity – a single legal entity that is a covered entity under HIPAA and whose business activities include both covered and non-covered functions and that designates itself as a hybrid entity under HIPAA.

    12. Limited Data Set – a limited data set is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients. The limited data set must exclude certain direct identifiers and can be used or disclosed without an individual’s authorization when other compliance steps are taken.

    13. Non-Student Designated Record Set (DRS) – health treatment records of a non-student patient that are made or maintained by a physician, psychologist, or other recognized professional or paraprofessional acting in their professional capacity or assisting in a paraprofessional capacity, made, maintained, or used only in connection with treatment of the non-student and disclosed only to individuals providing the treatment, payment, or healthcare operations of Texas State. Billing and payment records for the healthcare treatment are included in a non-student patient’s DRS.

    14. Non-Student Patient – an individual who is treated at a Texas State healthcare facility, and their treatment is billed in part or full to federal or state health care payors or commercial insurance.

    15. Office of the Inspector General (OIG) – a statutorily created independent entity whose mission is to detect and deter waste, fraud, abuse, and misconduct in the Department of Justice, and to promote economy and efficiency in the department’s operations.

    16. Office for Civil Rights (OCR) – enforces federal civil rights laws; conscience and religious freedom laws; HIPAA Privacy, Security, and Breach Notification Rules; and the Patient Safety Act and Rule, which together protect fundamental rights of nondiscrimination and conscience and religious freedom at covered entities.

    17. Protected Health Information (PHI) – individually identifiable health information is information, including demographic data, that relates to:

      1. the individual’s past, present, or future physical or mental health or condition;

      2. the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual;

      3. and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

      Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). The HIPAA Privacy Rule excludes from PHI employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

    18. Subcontractor – a person to whom a BA delegates a function, activity, or service, other than in the capacity of a member of the workforce of BA.

    19. Workforce – employees, volunteers, trainees, and other person whose conduct, in the performance of work for Texas State, are under the direct control of Texas State whether or not they are paid by Texas State.

  3. HIPAA COMPLIANCE PROGRAM

    1. Texas State’s HIPAA privacy compliance program is positioned within the Information Security Office and administered by the HPO and HSO.

    2. The Chief Information Security Officer is the designated HSO.

    3. Each university HCC shall appoint a privacy and security custodian for the HCC.

    4. University HCCs shall comply with all applicable HIPAA regulations. Each HCC’s privacy and security custodian shall be the primary HCC representative responsible for providing evidence of compliance to the HPO and HSO.

  4. RELEASE OF INFORMATION

    1. Texas State has a legal and ethical responsibility to promote and preserve the privacy and confidentiality of patient health information in all its stages of development and use. There shall be strict adherence to this basic principle regarding patient health information contained in a non-student patient’s treatment, and payment records will be released pursuant to HIPAA.

    2. Medical records are the property of the Texas State HCC.

    3. The privacy and security custodians of each HCC will be responsible for ensuring this policy section is enforced and that access to, use, and disclosure of health information is carried out accordingly.

    4. All Texas State workforce members will share in the responsibility for directing requests for the release of health information to the HCC privacy custodian.

    5. Information contained in medical records belongs to the patient and will be made accessible unless a physician determines access to the information would be harmful to the physical, mental, or emotional health of the patient.

    6. In accordance with HIPAA, Texas State is obligated to provide individuals with an accounting of disclosures of their PHI. This accounting includes instances in which PHI was disclosed for purposes other than treatment, payment, or healthcare operations, and where such disclosures were made without the individual’s authorization. Individuals have the right to request one accounting of disclosures free of charge within any 12-month period.

    7. Requirements for the authorization to release health information can be found in the Standards for the Disclosure of Protected Health Information.

  5. NOTICE OF PRIVACY PRACTICES

    1. Texas State HCCs must provide patients with notice of the uses and disclosures of PHI. The notice must include individual rights, Texas State’s legal duties with respect to PHI, and all required elements as mandated in the HIPAA Privacy Rule.

    2. The content and required language of the Notice of Privacy Practices can be found in the Standards for HIPAA Privacy Practices Notice.

    3. The standards for HIPAA Privacy Practices Notice will be updated as substantive changes or requirements occur.

  6. PATIENT RIGHTS

    1. Confidential Communications – Patients are permitted to make requests to Texas State to receive communications of PHI by alternative means or at alternative locations. Texas State will accommodate reasonable requests and will not request an explanation as to the basis for the request as a condition of providing communications on a confidential basis.

    2. The HCC privacy custodian is responsible for ensuring compliance with this policy and for managing all privacy-related communication requests. The custodian must verify that all communications with the patient align with approved alternative accommodation plans and maintain the privacy of individuals’ information.

    3. Request Amendment – A patient has the right to request an amendment to their PHI or a record about the individual in a DRS for as long as the PHI is maintained in the DRS. Texas State is not required to accept the inclusion of the amendment and may deny in whole or in part. The HCC privacy custodian is responsible for ensuring compliance with this policy and processing requests.

    4. Requirements for requesting an amendment can be found in the Standards for Requests to Amend PHI.

    5. Request Restriction of PHI – Patients may exercise their right and request restriction for certain uses and disclosures of their health information to carry out treatment, payment, healthcare operations, and for disclosures to family and friends involved in the patient’s care. The HCC must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan under certain conditions.

    6. Requirements for patients’ rights to restrict PHI can be found in the Standards for Patients Right to Restrict PHI.

  7. PRIVACY COMPLAINTS

    1. Texas State has established a method for regulators, workforce members, or individuals internal or external to the university to file a complaint if they believe their privacy rights have been violated.

    2. Individuals may file a complaint with Texas State and with the DHHS.

    3. Complainants will not be retaliated against for filing a complaint.

    4. The HPO will be responsible for receiving, handling, and documenting individuals’ complaints.

    5. University employees who receive a complaint must report them to the HPO without delay. Sensitive or confidential information must not be included when reporting complaints. The HPO or HSO will provide a secure method to receive sensitive or confidential information.

  8. DOCUMENTATION AND RETENTION

    1. HIPAA related activities that require documentation can be found in the Standard for HIPAA Documentation website.

    2. Texas State will retain all HIPAA related documentation for a minimum of six years from the date of its creation or modification, or the date when it was last in effect, whichever is later.

    3. If the university’s records retention schedule (see Record Series SHC220 page 158) has a longer retention period for certain records, that requirement will be followed.

    4. All university workforce members shall have appropriate access to security and privacy law and policies, which may be found on the Information Security Office’s website. Additional HCC-specific procedures will be maintained and made available by each HIPAA privacy custodian and security custodian.

    5. Policies and procedures will be updated any time there is a material change to the processes that they are documenting.

  9. HIPAA PRIVACY AND SECURITY WORKFORCE TRAINING

    1. Texas State shall provide HIPAA compliance training to members of the workforce who work in designated HCCs.

    2. Workforce members who work in designated HCCs must complete HIPAA compliance training prior to being granted access to ePHI, and thereafter annually.

    3. Workforce members may need to retake or attend supplemental training more frequently if disciplinary actions or material changes introduced by regulation make additional training necessary.

    4. The HPO and HSO will review and update training materials when changes in regulation and business practices occur.

    5. Documentation of training must be retained for a period of not less than six years. Records of workforce training shall be made available, upon request, to regulators, auditors, or other authorized parties.

  10. WORKFORCE ACCESS TO, USE, AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

    1. Workforce members’ access to PHI will be granted only after execution of an appropriate confidentiality statement by the workforce member.

    2. Workforce members’ access to, use, and disclosure of PHI will be according to specific written policies and procedures.

    3. All workforce members must comply with university information security, privacy, and HIPAA policies.

    4. The breach of privacy of PHI by a workforce member is addressed in Section 07. of this policy.

    5. Access to patient information will be limited to individuals with a legitimate “need to know” to effectively perform their specific job duties and responsibilities. The workforce may not use, disclose, or request an entire set of patient information unless it is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the access to, use, or disclosure or the patient requests this type of access.

    6. University HCCs will review requests for disclosures on an individual basis based upon developed criteria, which includes training the applicable staff to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the disclosure or request.

    7. Texas State and its employees may not use and disclose PHI except by way of a valid authorization or as permitted and required to do so by law and as noted in the HIPAA Privacy Rule and Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

    8. Permitted uses and disclosures of PHI can be found in the Standards for Permitted Use and Disclosure of PHI.

    9. Uses or disclosures that impermissibly involve more than the minimum necessary information may qualify as privacy breaches under HIPAA Omnibus Privacy Rules. In contrast, the use or disclosure of PHI that is incidental to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule.

  11. LIMITED DATA SETS

    1. Unless for treatment, Texas State will make reasonable efforts to limit PHI access, use, and disclosure to the minimum necessary and/or create limited data sets pursuant to a DUA.

    2. HCCs may use or disclose a limited data set that excludes the required identifiers defined in 45 CFR 164.514(e)(2) and is created only for the purpose of research, public health, or health care operations.

    3. HCCs may use or disclose a limited data set only if Texas State obtains satisfactory assurance, in the form of a DUA that meets the requirements found in 45 CFR §164.514(e)(4), that the limited data set recipient will only use or disclose the PHI for limited purposes.

  12. DESIGNATED RECORD SET

    1. The DRS defines the collection of PHI that must be made available to an individual who requests access to their PHI and to which an individual can request amendments. The individual may request access for as long as Texas State maintains the PHI. The HCC privacy custodian is responsible for receiving and processing requests.

    2. A DRS is a group of records created and maintained by or for a covered entity and consist of:

      1. health records and billing records about individuals maintained by or for a covered health care provider; and

      2. that are used, in whole or in part, by or for the covered entity to make decisions about individuals.

    3. Texas State defines its DRS in the Standard for DRS.

  13. SANCTIONS, ENFORCEMENT, AND DISCIPLINE

    1. Workforce members, including employees, students, volunteers, and contractors, must follow university policies, procedures, and applicable laws.

    2. Non-compliant staff may be subject to disciplinary action, including immediate termination. Discipline and termination actions will align with the procedures, reasons, and actions found in UPPS No. 04.04.40, Disciplining and Terminating Staff Employees and UPPS No. 07.07.04, Student Employee Termination, Separation, and Grievance Procedures.

    3. Contractors may be terminated or sanctioned or otherwise disciplined according to their BAA and/or contract terms.

    4. All workforce members and contractors must acknowledge that following these rules is a condition of their employment or contract.

    5. Events leading to disciplinary actions that impact the security or privacy of PHI must be reported to the HPO and HSO.

  14. BUSINESS ASSOCIATE MANAGEMENT

    1. Texas State shall enter into a written agreement (BAA) with any individual or entity who may be asked to access, use, disclose, store, or transmit PHI to carry out a function or activity on behalf of an HCC.

    2. The BAA will comply with contemporary standards and establish the permitted and required uses and disclosures of PHI by the BA.

    3. BAAs will be updated as required to maintain compliance with applicable laws, regulations, and policies.

    4. Texas State must acquire satisfactory assurances from the BA that the BA has implemented and operates according to a complete HIPAA compliance plan.

    5. Texas State’s Information Security Officer performs security assessments of BAs to acquire these satisfactory assurances.

    6. BAs also have identical obligations for satisfactory assurances of compliance from their sub-contractors.

  15. COOPERATION WITH REGULATORY INVESTIGATIONS

    1. This section provides guidance on managing investigations from DHHS, OCR, OIG, state attorney generals, or other privacy and/or security regulators and enforcement agencies.

    2. Any workforce member who receives notice of an investigation by a regulatory body must notify the HSO and HPO at hipaa@txstate.edu without delay.

    3. The HSO and HPO will handle notices of investigations as a suspected high-impact incident.

    4. It is the policy of Texas State to fully comply with all investigations conducted by DHHS, OCR, or other regulatory bodies.

    5. Texas State must provide records and cooperate with investigations and reviews and allow access to information during business hours as required by DHHS.

  16. SECURITY AND CONTINUOUS MONITORING OF PROTECTED HEALTH INFORMATION

    1. To prevent, detect, contain, and correct security or privacy violations and threats to PHI, a continuous monitoring strategy is employed by the Information Security Office.

    2. This continuous monitoring strategy will be achieved by the following methods:

      1. regular vulnerability scanning of information systems containing PHI on the Texas State network;

      2. ongoing monitoring via a third-party risk management platform for cloud-based components of information systems storing PHI;

      3. regular and recurring security assessments as outlined in Section 05.02 of UPPS No. 04.01.11, Risk Management of Information Resources;

      4. annual penetration tests on the Texas State network; and

      5. reviews of established BA agreements at contract renewal or substantive change to the agreement.

  17. DE-IDENTIFICATION OF HEALTH INFORMATION

    1. A Texas State workforce member is allowed to de-identify PHI without needing authorization from the individuals whose information is included. This applies whether the de-identified data will be used within Texas State or shared with another entity or individual.

    2. The ability of Texas State to use PHI to create de-identified information, in accordance with HIPAA and this policy, does not create a right of access to PHI for workforce members.

    3. De-identified health information is not considered PHI.

    4. De-identification of PHI may only be performed by authorized workforce members and must comply with the Standards for De-identification of PHI.

  18. DISPOSAL OR DESTRUCTION OF PROTECTED HEALTH INFORMATION OR DEVICES CONTAINING PROTECTED HEALTH INFORMATION

    1. Texas State will implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI during destruction. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI and disciplinary action for the workforce member.

    2. Texas State may not dispose of PHI in paper records, labeled prescription bottles, patient identification bracelets, PHI in electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons.

    3. Disposal of PHI stored electronically must follow the process outlined in Section 02.10 of UPPS No. 04.01.11, Risk Management of Information Resources.

    4. Disposal or destruction of paper or other physical records must adhere to the disposition instructions maintained by the University Libraries.

  19. SECURITY OR PRIVACY INCIDENT REPORTING AND RESPONSE

    1. Owners, custodians, and users must immediately report suspected security or privacy incidents or data breaches to the HPS and the HSO at HIPAA@txstate.edu.

    2. Sensitive or confidential information must not be included when reporting incidents. The HPO or HSO will provide a secure method to receive sensitive or confidential information.

    3. Events impacting the security or privacy of PHI or information systems handling PHI will be investigated in alignment with UPPS No. 04.01.10, Information Security Incident Management.

  20. REVIEWERS OF THIS UPPS

    1. Reviewers of this UPPS include the following:

      PositionDate
      Associate Director, Student Health CenterApril 1 E5Y
      HIPAA Privacy OfficerApril 1 E5Y
      Chief Information Security Officer and HIPAA Security OfficerApril 1 E5Y

  21. CERTIFICATION STATEMENT

    This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.

    Chief Information Security Officer and HIPAA Security Officer; senior reviewer of this UPPS

    Vice President for Information Technology

    President