COMMISSION POLICY AND PROCEDURE RELATED TO COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
HIPAA is the federal law that governs how "Covered Entities" and “Business Associates” handle the privacy and security of patients' protected health information (PHI). HIPAA Covered Entities include health care providers and health plans that send certain information electronically. The Commission may be deemed a "Business Associate" of certain institutions that are HIPAA Covered Entities. A Business Associate is an individual or entity that performs a function or activity on behalf of a HIPAA Covered Entity involving the use or disclosure of individually identifiable health information. Business Associates must comply with certain HIPAA Security and Privacy rules and implement training programs. The program's documentation for CODA must not contain any patient protected health information (“PHI”) or sensitive personally identifiable information (“PII”). If the program/institution submits documentation that does not comply with the Privacy and Data Security Summary for Institutions/Programs (linked below), CODA will assess a penalty fee of $1000 to the institution; a resubmission that continues to contain PHI or PII will be assessed an additional $1000 fee.
Privacy and Data Security Summary for Institutions/Programs (PDF)