HIPAA Change Management Process

1. Responsible department and/or vice-chancellors inform at stakeholders meeting or by email of change in department activity that affects HIPAA status.

2. HIPAA Stakeholders meet four times a year to prioritize HIPAA activities across the system, allocate resources and approve all ensuing HIPAA related items.

3. HIPAA Work Team is a select team of subject matter experts from all campuses. Work team meets on a regular basis (twice a month, or on need basis). All the HIPAA activities are brought to this team and approved to move up to the Stakeholders team for final approval.

4. In order to determine if your unit is within HIPAA scope, complete the organization questionnaire

5. The completed organization questionnaire will be reviewed by HIPAA Work Team. 

6. Based on the initial assessment, the Work Team will recommend whether the unit is

(a) HIPAA Individual Health Care Component

(b) Business Associate

(c) Non-HIPAA. These are the units that collect, maintain and process Protected Health Information but not bill for insurance. These units need to be reviewed every year to validate the HIPAA status.

 (d) FERPA

7.  If unit is 6(a), then it is under HIPAA scope that requires

(i)  complete a risk analysis.

(ii)   identify any corrective actions that need to be taken

(iii)  execute corrective actions

(iv)  prepare and turn in your report.

8. If unit is 6(b), complete the Business Associate Agreement.

9. If unit is 6(c), follow PHI Data Privacy Standards.

10. If unit is 6(d), report the PHI handling process to Registrars.

11. Units should be reviewed annually to confirm that they are still classified correctly and operating under proper procedure.