COMMISSION POLICY AND PROCEDURE RELATED TO COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
HIPAA is the federal law that governs how "Covered Entities" handle the privacy and security of patients' protected health information (PHI). HIPAA Covered Entities include health care providers and health plans that send certain information electronically. The Commission may be deemed a "Business Associate" of certain institutions that are HIPAA Covered Entities. A Business Associate is an individual or entity that performs a function or activity on behalf of a HIPAA Covered Entity involving the use or disclosure of individually identifiable health information. Business Associates must comply with certain HIPAA Security and Privacy rules and implement training programs. The Commission "HIPPA Policy and Procedure Manual" is updated on a yearly basis. A copy of the manual is available upon request. All Commission site visitors, Review Committee members, Commissioners, and staff are required to attend a CODA HIPAA training session on a yearly basis.
The program's documentation for CODA must not contain any patient protected health information. If the program/institution submits documentation that does not comply with the policy on PHI (noted above), CODA will assess a penalty fee of $1000 to the institution; a resubmission that continues to contain PHI or PII will be assessed an additional $1000 fee.
Privacy and Data Security Summary for Institutions/Programs (PDF)