Definitions: "Individually Identifiable Health Information" - Any information that relates to a specifically identifiable
individual and includes demographic data and information that relates to the individual's past, present or
future physical or mental health or condition, the provision of health care to the individual, or the past,
present, or future payment for the provision of health care to the individual, and that identifies the
individual or for which there is a reasonable basis to believe it can be used to identify the individual such as:
- Health care claims or health care encounter information, such as documentation of doctor's visits and notes made by physicians and other provider staff;
- Health care payment and remittance;
- Coordination of health care benefits;
- Health care claim status;
- Enrollment and disenrollment in a health plan;
- Eligibility for a health plan;
- Health plan premium payments;
- Referral certifications and authorization;
- First report of injury;
- Health claims attachments
"Protected Health Information - The HIPAA Privacy Rule protects all "individually identifiable health
information" held or transmitted by a covered entity or its business associate, in any form or media,
whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information."
"De-identified Health Information" - There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a
qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual's
relatives, household members, and employers is required, and is adequate only if the covered entity has no
actual knowledge that the remaining information could be used to identify the individual. The University employs option two (2).
2.2 Wheeling Jesuit University will take appropriate actions to protect against unauthorized disclosure of any
individually identifiable health information that pertains to an employee's health care services. Appropriate
physical and technical safeguards will be implemented to protect against unauthorized disclosure of personallyidentifiable
2.3 As a covered entity (a company health plan), the University, as defined by the Health Insurance Portability and
Accountability Act (HIPAA), is required by law to maintain the privacy of protected health information. The areas
of the University that handle protected health information will require HIPAA Privacy Training for all employees who work with protected personally identifiable health information. Employees in those areas will be advised
and trained and the individual identifiable health information will be treated as "private-confidential." Employees must not use e-mail to send information or ask questions related to protected individually
identifiable health information due to privacy issues addressed in HIPAA. All questions should be directed to the
Human Resources Department in person or by confidential university mail.
2.4 Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected
health information, without an individual's authorization, for the following purposes or situations: (1) To the
Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5)
Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or
health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of
these permissive uses and disclosures to make. All information used for health care operations, such as a census to obtain health care quotes, will be de-identified health information only.
2.5 If an employee believes that his/her privacy has been violated under this policy, s/he should contact Human
Resources immediately to resolve the complaint. If the issue is not resolved to his/her satisfaction, the
employee should follow the University's Dispute Resolution Procedure to resolve his/her complaint.
2.6 No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against
individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any
improper practice under HIPAA. No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.
2.7 Corrective Action
Disclosure of any protected personally-identifiable health information outside the parameters of allowable uses
may be grounds for corrective action up to and including immediate termination.