HIPAA & Healthcare

The University of Kansas is committed to protecting individuals’ health information in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable laws. HIPAA is a law designed to provide privacy standards to protect patients’ medical records and other health information, with primary goals of securing Protected Health Information (PHI) and enforcing standards for electronic transactions in healthcare.

Key Data Protection Elements of HIPAA

This rule establishes national standards for protecting individuals’ medical records and other personal health information. It imposes limits on the use and disclosure of health information and grants patients' specific rights regarding their health information, including:

  • The right to access their health information
  • The right to request corrections to their health information
  • The right to know how their health information is used and shared

This rule sets national standards for securing electronic protected health information (ePHI). It mandates appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

This rule requires covered entities and business associates to notify individuals, the U.S. Department of Health and Human Services (HHS), and in some cases, the media, of a breach of unsecured protected health information.

University Compliance

The University operates as a hybrid entity, designating certain areas as Covered Components that must implement appropriate safeguards to prevent unauthorized use or disclosure of PHI. Supporting Units that access PHI on behalf of Covered Components must also follow policy requirements. The university requires Business Associate Agreements for external entities performing functions involving PHI.

Faculty, staff, and students at the University must take HIPAA & healthcare training when handling PHI within treatment, clinical research, and healthcare operational settings.

All members of the KU community are obligated to report known or suspected information security incidents to ensure ongoing compliance and protection of sensitive health information.

The HIPAA Compliance Policy applies to the Lawrence and Edwards campuses, including employees, students, volunteers, and business associates involved with Protected Health Information (PHI).

University Healthcare Clinics

The University operates healthcare clinics that serve patients, including both students and non-students. It's important to note that there are differences in regulatory application between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) that affect how we handle health information.

Key Points

  • Student health records maintained by the University are generally subject to FERPA protections.
  • Health records for non-student patients are typically covered by HIPAA regulations when the healthcare clinic engages in standard electronic transactions related to healthcare services.
  • Disclosure requirements and privacy protections may differ depending on whether FERPA or HIPAA applies.

The U.S. Department of Education and Department of Health and Human Services have issued joint guidance on the application of FERPA and HIPAA to student health records. This guidance clarifies how these regulations intersect in educational settings that provide healthcare services.

For more information, consult the University Privacy Officer or Office of General Counsel.

University of Kansas Medical Center

For comprehensive information about HIPAA & Healthcare at the University of Kansas Medical Center, visit the University of Kansas Medical Center.