Access by Individuals to Protected Health Information

WASHINGTON UNIVERSITY
HIPAA Privacy Policy #1

Privacy Compliance

Statement of Policy

Washington University and its member organizations (collectively, “Washington University” or “WU”) are committed to conducting business in compliance with all applicable laws, regulations and WU policies. WU has adopted this policy to set forth its compliance with those standards established by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") regarding the privacy of individually identifiable health information (the "Privacy Regulations").

Scope of Policy

The scope of this Policy covers Washington University's general approach to compliance with the Privacy Regulations.

Policy

1) A Hybrid Entity

Washington University is a hybrid entity under the Privacy Regulations with both covered and non-covered functions. WU hereby designates its HIPAA covered functions as health care components for purposes of the Privacy Regulations. WU’s health care components are set forth in Exhibit A, attached hereto and incorporated herein, which Exhibit may be revised from time to time. Included within each designated health care component are various support services including, without limitation, legal, accounting, audit, finance, tax, risk management, information systems management, maintenance, facilities, environmental health and safety and the University's Compliance Office. Individuals who perform such support services for both HIPAA health care components and non-covered functions shall not use Protected Health Information that they obtain in the course of furnishing services for the HIPAA covered health care components to provide services to the non-covered functions. In addition, when Using or Disclosing Protected Health Information, the HIPAA covered health care components shall treat the non-covered functions as if they were legally separate entities. References within the Washington University HIPAA Privacy Policies to Washington University or WU mean the HIPAA covered entity components of Washington University.

2) A Single Affiliated Covered Entity

WU has ownership or membership interests in a number of separate legal organizations. These separate legal organizations shall be considered a single affiliated covered entity with Washington University for purposes of the Privacy Regulations, and shall be included as part of the Washington University School of Medicine ("WUSM") HIPAA health care component of WU. The separate legal entities that will be included as part of the WUSM component part of WU are set forth on Exhibit B, attached hereto and incorporated herein, which Exhibit may be revised from time to time.

3) An Organized Health Care Arrangement

WUSM and its affiliated teaching hospitals, Barnes-Jewish Hospital ("BJH") and St. Louis Children's Hospital ("SLCH"), participate in a clinically integrated care setting in which patients typically receive health care services from employees and agents of each of WUSM, BJH and SLCH. WUSM, BJH and SLCH have designated themselves as an organized health care arrangement under the Privacy Regulations and have developed and implemented a Joint Notice of Privacy Practices. Except as specifically stated herein or as might be agreed to in writing, each of BJH, SLCH and WUSM shall be responsible for ensuring its own compliance with the Privacy Regulations and in no event shall any of them be responsible for any other party's failure to comply with the Privacy Regulations.

4) Privacy Personnel

On behalf of its covered entity component parts, WU has designated a Privacy Officer with overall responsibility for the development and implementation of policies that conform to the Privacy Regulations ("Privacy Policies"). The Privacy Officer has identified a number of business units within the HIPAA covered entity components of WU. Each business unit has named a HIPAA Privacy Liaison and a HIPAA Privacy Trainer. The business unit HIPAA Privacy Liaison is responsible for ensuring that the business unit: (i) complies with all WU HIPAA Privacy Policies, (ii) develops and implements business unit-specific HIPAA privacy procedures ("Privacy Procedures") for each Privacy Policy that is applicable to that business unit and (iii) maintains the confidentiality of all Protected Health Information created or received by the business unit from the date such information is created or received until it is destroyed. The business unit HIPAA Privacy Trainer is responsible for ensuring that all staff members within the business unit have the appropriate level of HIPAA training as determined by the HIPAA Privacy Trainer in conjunction with the Privacy Officer.

5) Privacy Complaints

The Privacy Officer shall be responsible for facilitating a process for individuals to file a complaint regarding WU's Privacy Policies or the handling of Protected Health Information by a WU HIPAA health care component. The Privacy Officer shall be responsible for ensuring that the complaint and its disposition are appropriately documented and handled.

6) Mitigation, Sanctions and Non-Retaliation

WU shall ensure that its HIPAA health care components mitigate damages for any violation of the Privacy Regulations and the WU Privacy Policies and/or Privacy Procedures, appropriately discipline and sanction employees and other Workforce members for any violation, and refrain from intimidating or retaliating against any person for exercising his or her rights under the Privacy Regulations or for reporting any concern, issue or practice that such person believes in good faith to be in violation of the Privacy Regulations or the WU Privacy Policies and/or Privacy Procedures. WU shall not require any persons to inappropriately waive any rights of such person to file a complaint with the Department of Health and Human Services.

7) Privacy Policies and Procedures

The WU HIPAA Privacy Policies and Privacy Procedures are designed to ensure compliance with the Privacy Regulations. Such Privacy Policies and Privacy Procedures shall be kept current and in compliance with any changes in the law, regulations or practices of WU's covered entity component parts.

8) Responsibility of All Employees within WU HIPAA Covered Entity Component Parts

Every WU Employee within a HIPAA covered entity component part of WU is responsible for being aware of, and complying with, the Privacy Regulations and the WU Privacy Policies and Privacy Procedures.

Creation Date: March 17, 2003
Effective Date: April 14, 2003
Last Revision Date: March 17, 2003

EXHIBIT A

COMPONENT PARTS

1. Health Care Provider Component Parts

a) Washington University School of Medicine ("WUSM") (including the Barnes-Jewish Hospital Dialysis Center, Farmington Dialysis Center, Chromalloy American Kidney Center);

b) Psychological Counseling Service of the Department of Psychology in the School of Arts and Sciences,

c) Student Health and Counseling Services.

2. Health Plan Component Parts

a) Washington University Comprehensive Employee Welfare Benefit Plan (including medical plans, flexible health spending account plan and the employee assistance plan),

b) Health Plan for Washington University undergraduates,

c) Health Plan for Washington University Post-Doctoral Fellows,

d) Health Plan for Washington University School of Medicine students.

EXHIBIT B

AFFILIATED ENTITIES

Cardiothoracic Surgery North, LLC
Heart Care Institute Affiliated Services, LLC
Washington University Associates, Grant Medical Clinic, Inc
Washington University Clinical Associates, University Internal Medicine & Diabetes Associates
Washington University Health Ventures, Inc
Washington University Pain Control, LLC
Washington University Physician Network
Washington University Physician Network d/b/a Barnes Eyecare Network
The Heart Care Institute, LLC