Skip to main content

University Policy 123

Health Insurance Portability and Accountability Act Compliance

Initially Approved: November 23, 2015
Revised: October 11, 2022
Technical Change: February 20, 2023

Policy Topic: Governance and Administration
Administering Office: Health Services/Legal Counsel Office


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates health care providers, known as “Covered Entities” (Covered Entities or CE) that electronically maintain or transmit protected health information (PHI) in connection with a covered transaction. HIPAA requires each Covered Entity to maintain reasonable and appropriate administrative, technical, and physical safeguards for privacy and security. Entities or individuals who contract to perform services for a Covered Entity with access to protected health information, known as a Business Associate (Business Associates) are also required to comply with the HIPAA privacy and security standards. Western Carolina University (WCU or University) is subject to the HIPAA regulations because certain units of the University conduct business and provide patient care that is subject to the regulations. WCU is required to identify its units that are Covered Entities, ensure compliance with safeguard and implementation specifications, and provide for enforcement of compliance with the HIPAA regulations. Western Carolina University designates HIPAA Security and Privacy Officers to provide campus-wide leadership for compliance.


  1. HIPAA –Part of federal regulations set forth to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and wellbeing.
  2. HITECH – The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted in 2009 to promote and expand the adoption of health information technology, specifically the use of electronic health records by healthcare providers.  The act also tightened up the language of HIPAA and instituted an enforcement process for HIPAA violations that was previously missing.
  3. Protected Health Information–Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.
  4. Covered Entity - Any health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of the Department of Health and Human Services (DHHS) has adopted standards under HIPAA. Only units defined in Exhibit A shall be considered a Covered Entity for the purpose of this policy and any related procedure.
  5. Business Associate - A person or organization, other than a member of a Covered Entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Generally, the University will not enter a business associate agreement or become a Business Associate with an external organization or person in which the university is not the actual covered entity. Any Business Associate agreement must be approved by University Legal Counsel prior to the execution of said agreement.
  6. Notice of Privacy - A notice of a Covered Entity’s privacy practices which must be given to each patient explaining the covered entity’s safeguards to maintain patient confidentiality and the patient’s right to privacy.
  7. Confidentiality Statement - Written privacy policies and procedures that are consistent with the Privacy Rule outlining the employee’s responsibilities related to privacy practices. Each employee within the Covered Entity should have on file in his/her personnel record acknowledgement of training regarding the privacy rule and a signed statement agreeing to abide by the rule and protect the patient’s privacy.
  8. Release of Information – Form(s) that patients are required to provide to a covered entity granting permission for the entity to release confidential, protected health information.


The Covered Entity must:

  • Appoint a HIPAA compliance and security officer or officers.
  • Implement policies and procedures with respect to Protected Health Information (PHI) that comply with HIPAA regulations including, but not limited to, ensuring compliance with and enforcement of PHI security, use and disclosure with other University employees as well as any disclosures provided to external third parties. Updates to this policy and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes.
  • Maintain the policies and procedures in written (paper or electronic) form.
  • Implement a training program that includes computer security incident training and general security awareness that informs all the Covered Entity’s staff, including management, of all policies and procedures that apply to them in their individual roles. Training should be provided routinely, on a periodic basis and should be documented for all employees.
  • Make the policy and training available to all staff responsible for implementing the policies and procedures to which the documentation applies.
  • Inform patients of the Covered Entity’s HIPAA policies and procedures and the patient’s rights and responsibilities and receive and maintain written acknowledgement of receipt of such information.
  • Require a patient’s (or legal guardian if the patient is a minor) written authorization for Release of Information for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. The release of information should state patient’s name, date of birth and specific dates of service.
  • Promptly document and process any complaints of alleged HIPAA violations, mitigate any damages, investigate, and address any violations.
  • Perform regular, ongoing monitoring, assessment, and revision, as necessary, to ensure continued compliance and enforcement of HIPAA standards.
  • Perform regular, ongoing monitoring, assessment, and revision, as necessary, of HIPAA policies and procedures and documentation in response to environmental, operational, staff, technical, or legal changes.
  • Ensure that access to WCU PHI and electronic record systems is restricted to appropriately authorized and identified individuals, and protected in accordance with this policy, University policy #97, Data Security and Stewardship, and University Policy #106, Identity Theft Prevention Program
  • Ensure that any requests for computer access to PHI data are reviewed by department managers in the appropriate healthcare area to determine the access rights of the workforce member. Access rights will only be granted for legitimate business purposes and should not exceed the minimum necessary for a workforce member’s assigned duties.
  • Ensure that department managers in designated health care areas will be responsible for documenting the location of PHI, either electronic or paper records, and implementing appropriate procedures to secure locations that contain PHI.
  • Ensure that Business Associate Agreements are compliant with HIPAA standards and the HITECH act.


This policy shall be reviewed and revised as necessary every two (2) years.


International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational Controls)

45 CFR Part 164, Subpart C, Security and Privacy

University Policy #52, Responsible Use of Information Technology Resources

University Policy #97, Information Security and Privacy Governance

University Policy #106, Identity Theft Prevention Program

University Policy # 122, Video Capture Policy

 EXHIBIT A – Western Carolina University employees subject to HIPAA regulations

Employees that work in direct patient care areas and generate medical records, including:

  • Health Services (includes Campus EMS)
  • Counseling and Psychological Services
  • Department of Sports Medicine (Athletics)
  • Speech and Hearing Clinic
  • Physical Therapy Clinic
  • WCU Psychological Services Clinic
  • Any other employees that provide patient care and generate medical records

Employees that through the required responsibilities of the position, potentially have access to PHI:

  • Information Technology staff
  • Environmental Services staff that clean in patient care areas
  • Safety and Risk Management Office (worker’s compensation administration)
  • Legal Counsel
  • Compliance Officer
  • Title IX Coordinator

Employees that provide direct oversight, management, and administrative duties on behalf of the university:

  • Student Concern Response Team
  • Executives/Administrators with organization responsibility for patient care area

Departmental Policies:

Health Services Policy Patient Rights and Responsibilities.docx 

Health Services Policy Patient Release of Information.docx 


WCU Confidentiality Agreement: Confidentiality/Security Agreement 

WCU Business Associate Agreement: HIPAA Business Associates Agreement 



Office of Web Services