I. Purpose

Elon University is committed to protecting the privacy and security of health information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This policy outlines the standards for safeguarding Protected Health Information (PHI) and ensuring compliance with HIPAA regulations.

II. Scope

This policy applies to all University departments, employees, contractors, volunteers, and students who may have access to PHI as part of their roles or academic activities. PHI is defined as any information related to an individual’s health status, healthcare, or payment for healthcare that can be linked to a specific person.

III. Definitions

  1. Protected Health Information (PHI): Any individually identifiable health information transmitted or maintained in any form or medium.
  2. Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically.
  3. Business Associate: Any organization or individual that performs activities involving PHI on behalf of a covered entity.

IV. Responsibilities

  1. Privacy Officer: Elon University will designate a Privacy Officer responsible for overseeing HIPAA compliance, including training, monitoring, and responding to potential violations.
  2. Employees and Students: All personnel must safeguard PHI and report potential breaches to the Privacy Officer promptly.

V. Use and Disclosure of PHI

  1. PHI may only be used or disclosed for treatment, payment, and healthcare operations, or as otherwise permitted or required by law.
  2. Written authorization must be obtained from individuals for uses or disclosures not covered under permissible exceptions.
  3. Minimum Necessary Standard: Access to PHI will be limited to the minimum necessary information needed to fulfill job responsibilities.

VI. Safeguards

  1. Administrative Safeguards: Policies and procedures will be implemented to prevent, detect, and correct potential HIPAA violations.
  2. Physical Safeguards: PHI must be stored securely to prevent unauthorized access. Hard copies should be locked when not in use, and electronic systems must have password protection.
  3. Technical Safeguards: Electronic PHI will be protected through encryption, secure access protocols, and regular audits.

VII. Training

Elon University will provide mandatory HIPAA training for all employees, contractors, and students who handle PHI. Training will be conducted upon hiring and annually thereafter.

VIII. Breach Notification

  1. Reporting: All suspected or confirmed breaches of PHI must be reported immediately to the Privacy Officer.
  2. Investigation: The Privacy Officer will investigate reported breaches and take appropriate action, including notifying affected individuals and regulatory authorities as required by law.

IX. Enforcement and Disciplinary Actions

Violations of this policy may result in disciplinary action, up to and including termination of employment or academic expulsion, in accordance with University policies.

X. Retention of Records

PHI and related documentation will be retained for a minimum of six years or as required by applicable laws and University policies.

XI. Amendments

Elon University reserves the right to amend this policy as necessary to comply with changes in laws or regulations or to enhance its privacy and security practices.

Contact Information

For questions or concerns about this policy, contact the Privacy Officer, Dr. Jana Lynn Patterson:
By e-mail: patters@elon.edu
US mail: 2045 Campus Box, Elon NC 27244.
Phone: (336) 278-7200

Effective Date: 10/1/2022
Approved By: HIPAA Advisory Committee