Washington University in St. Louis Logo
 


Research Roles and Responsibilities

HIPAA – Health Insurance Portability and Accountability Act


Created 2007

Unit Role
Principles, Standards, and Guidance
Education and Awareness
Administration and Management
Institutional Oversight
Monitoring
Auditing
Noncompliance
Coordination Among Entities
Records and Reporting

Unit Role

Washington University has three entities responsible for assuring compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA): The HIPAA Privacy Office, the HIPAA Security Office, and the Washington University HIPAA Covered Entity, which is comprised of 57 individual Business Units. These three entities help ensure compliance with Federal regulations and University and sponsoring agency policies and procedures related to HIPAA and to provide HIPAA-related communication, education, and support for University researchers and staff.

The Privacy Office is responsible for compliance with HIPAA Privacy Regulations regarding the access, use, and disclosure of protected health information (PHI) and coordinates HIPAA Privacy Compliance for the Washington University HIPAA Covered Entity.

The Privacy Office reports to the Executive Vice Chancellors.

The Security Office is responsible for compliance with HIPAA Security Regulations regarding the physical and technical security of electronic PHI. The Security Office coordinates HIPAA Security Compliance for the Washington University HIPAA Covered Entity.

The Security Office is part of the Medical School Central IT Services (MSCITS) organization and reports to the Assistant Dean and Chief Information Officer of the Medical School.

Each of the 57 Business Units (BU) designates a HIPAA Privacy Liaison and a HIPAA Security Liaison. Together, these liaisons are responsible for helping to ensure that their BU complies with the University HIPAA Privacy and Security Policies. The liaisons are also responsible for developing and implementing BU-specific HIPAA compliance policies and procedures, utilizing the resources and tools provided by the HIPAA Privacy and Security Offices, and ensuring appropriate levels of training are completed by all BU personnel.

Together, the Privacy Office, the Security Office, and the 57 Business Units and their respective liaisons coordinate to achieve the following responsibilities:

Principles, Standards, and Guidance
  • Oversee the development, implementation, and review of institutional and business unit-specific policies and procedures to assure the privacy and security of PHI.
  • Disseminate information and provide guidance regarding compliance with HIPAA Federal regulations and University and sponsoring agency policies and procedures.

Education and Awareness
  • Develop and implement educational programs and tools to effectively train researchers and staff participating in research involving PHI.
  • Determine the appropriate level of HIPAA training for researchers and staff.
  • Provide communication and other resources for researchers and staff to raise awareness regarding HIPAA requirements.

Administration and Management
  • Represents the University to Federal regulatory agencies.
  • Develop and implement administrative, physical, and technical safeguards to protect and control access to PHI in accordance with Federal regulations and University and sponsoring agency policies and procedures.
  • Develop and maintain electronic systems and technology solutions related to the administration of HIPAA.

Institutional Oversight
  • Promote a culture of compliance and oversee adherence to Federal regulations and University and sponsoring agency policies and procedures instituted to safeguard PHI.

Monitoring
  • Monitor open research protocols to identify problems and to help ensure compliance with Federal regulations and University and sponsoring agency policies and procedures instituted to safeguard PHI.

Auditing
  • Periodically review and assess the progress of previous HIPAA violators.

Noncompliance
  • Receive and investigage all internal and external HIPAA privacy and security complaints.
  • Assure that each complaint and its disposition are appropriately documented and handled in accordance with Federal regulations and University and sponsoring agency policies and procedures instituted to safeguard PHI.
  • Mitigate damages for any violation and administers appropriate sanctions against University faculty and staff found culpable of HIPAA violations in accordance Federal regulations and University and sponsoring agency policies and procedures.
  • Supports and endorses cooperation with University compliance and monitoring efforts and reports instances of noncompliance to the appropriate compliance office.

Coordination Among Entities
  • Coordinate with the Human Subject Research Quality Assurance/Quality Improvement Program (HSR QA/QI) and the Human Research Protection Office (HRPO) to facilitate cooperation and help ensure that health information is protected in accordance with HIPAA Federal regulations and University and sponsoring agency policies and procedures.

Records and Reporting
  • Create and maintain records for all HIPAA violations and violators.
  • Assure confidentiality, integrity, and availability for all electronic PHI created, received, maintained, or transmitted by the institution.
[Footer graphic with links to Washington University in St. Louis Home Page, Site Search, Directories, and Contact Us pages] Washington University Home Page Washington University Site Search Washington University Phone Book Contact Us