Commission Policy and Procedure Related to Compliance with the Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is the federal law that governs how "Covered Entities" and “Business Associates” handle the privacy and security of patients' protected health information (PHI). HIPAA Covered Entities include health care providers and health plans that send certain information electronically. The Commission may be deemed a "Business Associate" of certain institutions that are HIPAA Covered Entities. A Business Associate is an individual or entity that performs a function or activity on behalf of a HIPAA Covered Entity involving the use or disclosure of individually identifiable health information. Business Associates must comply with certain HIPAA Security and Privacy rules and implement training programs. The program's documentation for CODA must not contain any patient protected health information (“PHI”) or sensitive personally identifiable information (“PII”). If the program submits documentation that does not comply with the Privacy and Data Security Summary for Institutions/Programs (linked below), CODA will assess an administrative fee of $4000 per program submission to the institution; a program’s resubmission that continues to contain prohibited data will be assessed an additional $4000 fee.
Privacy and Data Security Summary for Institutions/Programs (PDF)