ROWAN UNIVERSITY POLICY
Title: Uses and Disclosures of Protected Health Information: With and Without Authorization
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI: 2013:P04
Applies: RowanSOM
Issuing Authority: President
Responsible Officer: Chief Audit, Compliance & Privacy Officer; Director of Information Security
Adopted: 07/01/2013
Last Revision: 01/26/2021
Last Reviewed: 01/26/2021
I. PURPOSE
To establish the requirement for Rowan University School of Osteopathic Medicine (RowanSOM) uses and disclosures of individually identifiable protected health information (PHI) to be in conformance with state and federal regulations. This policy clarifies when an authorization is or is not required and/or clarifies when an opportunity to agree or disagree must be provided regarding the use and disclosure of protected health information. It establishes the necessary elements that must be included in these authorizations, and the extent of the information that may be used or disclosed.
II. ACCOUNTABILITY
Under the direction of the President, the Dean, Senior Vice President for Academic Affairs, General Counsel, Chief Audit, Compliance & Privacy Officer, Vice President for Finance and Treasurer and the Vice President for Supply Chain Management shall ensure compliance with this policy.
III. APPLICABILITY
This policy applies to health information, including demographic information collected from an individual, whether oral or recorded in any form or medium, only when it meets the following conditions:
It is created or received by any unit or department of RowanSOM acting in the capacity of a health care provider, health plan, employer or health care clearing house.
- It relates to a past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or payment for the provision of health care.
- It can identify the patient, or there is a reasonable basis to believe that it can be used to identify an individual. Health information is considered not individually identifiable under the following two conditions:
- Where the risk is very small that the information could be used to identify the individual. Risk is determined by using generally accepted and documented statistical and scientific principles and methods; and
- Where all identifying information is removed. See Attachment 1 for a list of 18 identifiers that must be removed regarding the individual, relatives, employer and other household members to de-identify health information.
- This policy does not apply to health information in education records covered under the Federal Education Right and Privacy Act (FERPA), 20 USC 1232g; and records under FERPA at 20 USC 1232g(a)(4)(B)(iv). See University policy, Family Educational Rights and Privacy Act, 00-01-25-05:00.
IV. REFERENCES
- 45 CFR 164.508 Code of Federal Regulations, Title 45, Part 164, Section 508, Security and Privacy, Uses and disclosures for which an authorization is required.
- 45 CFR 164.510 Code of Federal Regulations, Title 45, Part 164, Section 510, Security and Privacy, Uses and disclosures requiring an opportunity for the individual to agree or object is not required.
- 45 CFR 164.512 Code of Federal Regulations, Title 45, Part 164, Section 512, Security and Privacy, Uses and disclosures for which consent, authorization or opportunity to agree or object is not required.
- Federal Education Right and Privacy Act (FERPA), 20 USC 1232g and 20USC1232g (a) (4) (B) (IV).
- Family Educational Rights and Privacy Act
- Common Rule and FDA’s Human Subject Protection Regulations
V. POLICY
- RowanSOM and all its units shall appropriately protect the privacy of PHI that can identify an individual in compliance with federal and state law.
- RowanSOM will not use or disclose PHI without a valid authorization by the individual unless it is permitted under the following circumstances and is in accordance with state and federal law and this policy:
- When requested by the Secretary of the United States Department of Health and Human Services (DHH) to investigate or determine compliance with the privacy standard;
- When the disclosure is to the individual to whom the PHI pertains, or a legal personal representative, including requests for accounting or access to inspect or copy;
- To carry out treatment, payment or healthcare operations (TPO);
- Where an opportunity to agree or to object has been afforded to the individual and the individual does not object to the use and disclosure of PHI in the following circumstances:
- To include the individual in facility directories,
- To family and friends involved with the individual’s care or payment related to the individual’s healthcare, or
- To disaster relief agencies to coordinate the notification of family and friends regarding the individual’s location, condition, or death;
- Under the following circumstances when the use or disclosure meets the conditions and requirements detailed in Attachment 2 and in accordance with federal and any stricter state law:
- For public health activities as discussed under 45 CFR 164.512(b);
- To governmental authorities about victims of abuse, neglect and domestic violence under the conditions discussed in 45 CFR 164.512(c);
- To health oversight agencies for oversight activities authorized by law;
- For judicial and administrative proceedings under the conditions discussed in 45 CFR 164.512(e);
- To law enforcement officials for certain law enforcement purposes under the conditions discussed in 45 CFR 164.512(f);
- To coroners and medical examiners for the purpose of identifying a deceased person or cause of death, or other duties authorized by law; and to funeral directors to carry out their duties;
- For cadaveric organ, eye or tissue donation;
- For research purposes when the Institutional Review Board approved an alteration to or waiver of the individual authorization requirement in compliance with 45 CFR 164.512(i) and appropriate representations and documentation regarding the use and disclosure is obtained from the researcher in accordance with 45 CFR 164.512(i);
- To avert a serious threat to health or safety of a person or the public;
- For specialized government functions including military and veterans activities; for protective services to the President of the USA; for national security activities; and to a correctional institution or law enforcement official about a lawfully detained individual under certain conditions;
- To the extent that the use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law;
- To report health care fraud;
- To other health care entities for their treatment, payment and operational purposes (see Attachment 3).
- When the information has been de-identified and there is no actual knowledge by RowanSOM that any of the remaining information could identify the individual. See Attachment 1 for the 18 pieces of information that must be removed to qualify as de-identified information.
- RowanSOM will comply with stricter state and federal law that affords greater protection to privacy rights as they relate to the privacy of individuals including but not limited to treatment for drug and alcohol use, HIV/AIDS, and mental health.
- For psychotherapy notes, a valid authorization must be obtained for any use and disclosure except under the following circumstances.
- For TPO of or by RowanSOM, only the following uses and disclosures are authorized:
- By the originator of the psychotherapy notes for treatment, but may not disclose it to anyone else;
- By the unit in training programs in which students, trainees, or practitioners in mental health learn or improve counseling skills; or
- By the unit to defend a legal action or other proceeding brought by the individual.
- To the extent that it is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
- To health oversight agencies with respect to the oversight of the originator of the psychotherapy notes only;
- To coroners, medical examiners for the purpose of identifying a deceased person or cause of death, or other duties authorized by law; and to funeral directors to carry out their duties.
- To prevent or lessen a serious and imminent threat to the safety of a person or the public, unless information obtained in treatment initiated by the individual 45 CFR164.512 (i).
- For TPO of or by RowanSOM, only the following uses and disclosures are authorized:
- Uses and Disclosures for Treatment, Payment and Health Care Operations (TPO)
- RowanSOM workforce may use and disclose PHI necessary for treating patients, obtaining payment for items and services, and conducting administrative and operational tasks as necessary to provide health care services as defined in Attachment 2.
- Members outside of the workforce (business associates) that provide certain functions, activities, or services for or to RowanSOM involving uses and disclosures of PHI in order to help RowanSOM carry out its health care functions, other than for treatment purposes, must enter into Business Associate Contracts with RowanSOM prior to their access to such information. The Vice President for Supply Chain Management shall be responsible for communicating and enforcing this section to vendors, independent contractors, business associates, etc.
- Patients may request restrictions on the uses or disclosures of health information for TPO. RowanSOM need not agree to the restriction requested, but will be bound by any restriction to which it agrees, only after the individual patient pays in full, prior to the initiation of the service(s)[164.522]. Any agreement to restrict must be appropriately documented on the Request for Restriction Form which can be accessed at the following website: https://www.rowan.edu/compliance
and kept in the medical record, such restrictions must be clearly indicated on the face of the chart or somewhere obvious to anyone accessing the chart. - The following types of operational activities may require a valid authorization:
- Marketing activities require an authorization prior to RowanSOM use and disclosure.
- Marketing includes any communication where the effect of the communication is to encourage recipients to purchase or use the product or service.
- Marketing does not constitute communications in the course of managing the treatment of the individual for purposes of "case management" and "care coordination."
- Authorizations for marketing along with the core elements discussed below must include the statement that the marketing is expected to result in direct or indirect remuneration to RowanSOM from the third party, if true.
- Exception: Face to face communications made by RowanSOM to the individual does not require an authorization.
- Fundraising activities: Only the following PHI may be disclosed without authorization to an institutionally related foundation for the purposes of raising funds for RowanSOM’s own benefit (if the foundation is run by non-RowanSOM entity, a business approved limited data set agreement must be in place):
- Demographic information relating to an individual; and
- Dates of health care provided to an individual.
- RowanSOM must include in any fundraising materials a description of how the individual may opt out of receiving future communications; and RowanSOM must make sure those individuals who opt out do not receive any future communications.
- Research activities require a written authorization unless there is written documentation that the IRB either waived or altered the requirement. See Attachment 2 under "Research" for requirements and specifications under which an authorization would not be required.
- Marketing activities require an authorization prior to RowanSOM use and disclosure.
- Opportunity to Agree or Object
- In the following three (3) circumstances, PHI may be disclosed without an authorization as long as the patient is given an opportunity to agree or object. Units must establish a process to document that opportunity was afforded and if the individual objected.
- Facility Directories
- During registration process in units that utilize facility directories, all patients must be told that the information about them will be placed in the facility directory to provide information to friends, family, clergy and the press if requested and that they may object or request restrictions.
- The information that may be included in the directory is as follows:
- the patient’s name;
- the patient’s location;
- the patient’s condition, as undetermined, good, fair, serious or critical; and
- the patient’s religious affiliation.
- Specific medical information about the individual may not be included.
- Patients may agree or object orally or in writing. Each unit however should document the notification and response on a log sheet or in some other manner so as to be able to ascertain the patient’s previous preference in a future visit where an opportunity to object may not practicably be provided.
- In emergency situations involving patient incapacity, where the opportunity to object cannot practicably be provided, the patient’s most recent preference, if known, will be honored upon a determination by the attending physician or house supervisor that the disclosure is in the best interest of the patient.
- No directory information will be disclosed unless asked by name, except to members of the clergy.
- Facility Directories
- To Persons involved in a Patient’s Care or Payment
- PHI may be disclosed to a family member, a personal representative of the individual or another person when:
- That information is relevant to such person’s involvement with the individual’s care or payment related to such care, or
- To notify (or assist in the notification of) such persons of the individual’s location, general condition or death, and
- When section V.F.2.b. and section V.F.2.c. are complied with.
- If the individual is present and has the capacity to make healthcare decisions, the unit may use or disclose the PHI only if it:
- Obtains the individual’s agreement;
- Provides the individual the opportunity to object and the individual does not object; or
- Can be reasonably inferred from the circumstances, using professional judgment that the individual does not object to the disclosure.
- If the individual is not present, due to an incapacity or emergency circumstance, the unit may disclose only if:
- The PHI is directly relevant to the person’s involvement with the individual’s health care, and it is in the individual’s best interest.
- Units may use professional judgment and experience with common practice to make reasonable inferences regarding the individual’s best interest in allowing a person to act on behalf of the individual to “pick up filled prescriptions, medical supplies, X-rays, or other similar forms of PHI.”
- PHI may be disclosed to a family member, a personal representative of the individual or another person when:
- Disaster Relief Efforts
- PHI may be used or disclosed to a public or private entity authorized by law or by its charter to assist in disaster relief efforts. The above rules for use and disclosure of PHI for involvement in an individual’s care and notification (depending upon whether the individual is present or not) apply as long as they do not interfere with the public or private entity’s ability to respond to a disaster relief situation.
- In the following three (3) circumstances, PHI may be disclosed without an authorization as long as the patient is given an opportunity to agree or object. Units must establish a process to document that opportunity was afforded and if the individual objected.
- Authorizations
- Units may use and disclose PHI when a valid authorization is obtained.
- For requests for authorization initiated by RowanSOM, all units must use RowanSOM's standardized authorization form, Authorization for Release of Information, which can be accessed at the following website: http://www.rowan.edu/compliance.
- All sections must be complete. Changes or variations to the authorization forms must be approved by the Chief Audit, Compliance & Privacy Officer in the Office of Compliance & Corporate Integrity. Treatment may not be conditioned on obtaining the authorization (unless related to approve research clinical trial).
- If the authorization was received from the individual or third party, determine the validity of the authorization. The following elements must be present:
- A description of the specific information to be used or disclosed.
- Name of the specific person or entity authorized to disclose the information.
- Name of the specific person or entity to whom RowanSOM may make the requested use or disclosure and, if information is to be mailed, the address of the person or entity.
- The date, event or condition upon which the authorization will expire.
- The individual’s signature and date.
- A description of the personal legal representative's authority to sign, if applicable.
- A description of the purpose of the disclosure. (Not required if the individual requests disclosure for own use).
- A statement in which the individual acknowledges that he or she has the right to revoke the authorization, instructions on how to exercise such right or to the extent the information is included in the covered entity's notice, a reference to the notice.
- A statement that treatment may not be conditioned on obtaining the authorization, unless it is research related and disclosure of the information is for the particular research study. For purposes of research, where treatment may be conditioned on obtaining the authorization, a statement about the consequences of refusing to sign the authorization.
- A statement in which the individual acknowledges that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by federal privacy law.
- If the authorization is for marketing purposes and the marketing is expected to result in direct or indirect remuneration to RowanSOM from a third party, a statement of this fact.
- If the disclosure requested involves mental health information, the authorization must also include the following:
- The specific purposes for which the information may be used, both at the time of disclosure and any time in the future; and
- That the patient is aware of the statutory privilege accorded to confidential communications between a patient and a licensed psychologist and psychiatrist.
- Defective Authorizations
- An “authorization” is not considered valid if it has any of the following defects:
- The expiration date has passed.
- The form has not been filled out completely.
- The authorization is known by RowanSOM to have been revoked.
- The form lacks any required element.
- The information on the form is known by RowanSOM to be false.
- Treatment was conditioned upon obtaining the authorization (except for research purposes).
- An “authorization” is not considered valid if it has any of the following defects:
- Legal Representatives
- If the authorization is signed by a legal representative or other person authorized to act for the individual, the request must be accompanied by documentation of the representative’s legal authority to act on behalf of the individual.
- Revocation of Authorization.
- A patient who has executed an authorization for disclosure or use of individual health information may revoke the authorization at any time by sending a written notice to Rowan University as described in RowanSOM’s Notice of Privacy Practices.
- The written notice must refer to the specific authorization being revoked (e.g., “my authorization of January 27, 2002”) and be signed and dated by the individual or his or her legal representative.
- The revocation becomes effective upon receipt by RowanSOM, with the exception of uses or disclosures made by RowanSOM prior to receipt.
- A patient who has executed an authorization for disclosure or use of individual health information may revoke the authorization at any time by sending a written notice to Rowan University as described in RowanSOM’s Notice of Privacy Practices.
- For Research-Related Health Information
- The core elements of an authorization as described below may be combined with the informed consent to participate in the research.
- Rowan University may condition the provision of research related treatment (related to the clinical trial) on obtaining authorization.
- RowanSOM may use and disclose for a specific research study, PHI that is created or received before and after HIPAA's compliance date (April 14, 2003), and/or prior to the new authorizations being implemented, as long as some other express legal permission to use and disclose the information for the research study was obtained.
- Archived information may continue to be used and disclosed for the research study if an individual had originally signed an informed consent to participate in the research study, or IRB waived informed consent, in accordance with the Common Rule or FDA's human subject protection regulations.
- An accounting of all disclosures made under an authorization must be documented and maintained. See University policy, Accounting of Disclosures of Health Information.
- Extent of the Information That May be Used and Disclosed.
- For disclosures made under a valid authorization, disclose the information to the extent specified in the authorization.
- Absent an authorization, each unit must make reasonable effort to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary rule does not apply to the following circumstances:
- Disclosures to or requests by a health care provider for treatment purposes.
- Disclosures to the individual or personal legal representative, who is the subject of the information.
- Uses and disclosures made pursuant to an authorization.
- Uses or disclosures required for compliance with the standardized HIPAA electronic transactions.
- Disclosures to the Department of Health and Human Services when disclosure of information is required under HIPAA for enforcement purposes.
- Uses and disclosures that are required by law.
- Each unit must make an assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of the unit's business practices and workforce, and to implement policies and procedures accordingly. Policies and procedures should address the following:
- Internal use by the unit’s workforce for uses other than for treatment purposes. Identify the persons or classes of persons within the workforce who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access.
- Routine and recurring disclosures to third parties. Limit the PHI to the minimum amount reasonably necessary to achieve the purpose of the disclosure.
- Non-routine disclosures to third parties. Criteria must be developed that limit the disclosure of PHI to the minimum information reasonably necessary to accomplish the purpose for which disclosure is sought. Requests for disclosures must be reviewed on a case-by-case basis in accordance with such criteria. Units may rely (if such reliance is reasonable) on a requested disclosure being the minimum necessary for the stated purpose when:
- The covered entity is making disclosures to a public official where no authorization or consent is required, and the public official represents that the information requested is the minimum necessary;
- The information is requested by another health care provider, health plan or health care clearing house covered under HIPAA;
- The information is requested by a professional who is a member of RowanSOM’s workforce or business associate for the purpose of providing professional services to RowanSOM, if the professional represents that the information requested is the minimum necessary for the stated purpose; or
- Documentation or representations are made that comply with the requirements of 45 CFR 164.512(i) (regarding uses and disclosures involving research).
- Verification Requirement
- Each unit will verify the identity and authority of persons requesting PHI. Verification procedures should be reflected in policies and procedures accordingly.
- If the requesting person is a public official or someone acting on his or her behalf, units may rely upon the following:
- Agency identification badge, credentials or other proof of status;
- Government letterhead, if request is by letter;
- A written statement of the legal authority (or, if impracticable, an oral statement) under which the information is requested.
- If a request is made pursuant to a legal process, warrant, subpoena, order, or other legal process, it is presumed to constitute legal authority.
- For persons acting on behalf of the official, a written statement on government letterhead or other evidence or documentation that establishes that the person is acting under the public official's authority (such as contract for services, memo of understanding). In this event, units must contact the Office of Legal Management to inform of such request by Public Officials.
- A unit may rely on the exercise of professional judgment as to disclosures pursuant to facility directories, to persons involved in a patient’s care or payment and notification, and in relation to disaster relief as discussed in section V.F.3. and as to disclosures regarding serious threats to health and safety as discussed in Attachment 2.
VI. ATTACHMENTS
- Attachment 1, List of Identifiers and De-Identification Process
- Attachment 2, Disclosures of PHI No Authorization Required
- Attachment 3, Treatment, Payment and Health Care Operations
VIII. NON-COMPLIANCE AND SANCTIONS
Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules. Civil and criminal penalties may be applied accordingly. Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.
By Direction of the President:
Signature on file
__________________________________________
Chief Audit, Compliance and Privacy Officer
Signature on file
__________________________________________
Rowan Security Officer
ATTACHMENT 1
LIST OF IDENTIFIERS AND DE-IDENTIFICATION PROCESS
- RowanSOM may use protected health information (PHI) where information that can identify the individual not present and where RowanSOM has no reasonable basis to believe that information can be used to identify the individual. RowanSOM can create de-identified information by removing, coding, encrypting, or otherwise eliminating or concealing the following information regarding the individual, relatives, employers, or household members:
- Names
- Street address, city, county, precinct, zip code, and equivalent geocodes
- All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of 90 or older
- Birth date
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security number
- Medical record number
- Health plan beneficiary number
- Account numbers
- Certificate/license number
- Any vehicle identifiers and serial numbers, including license plate numbers
- Web Universal Resource Locator (URL)
- Internet Protocol (IP) address number
- Finger or voice prints; biometric identifiers
- Full face Photographic images; and any comparable images
- Any other unique identifying number, characteristic, or code that Rowan University has reason to believe may be identifiable to an anticipated recipient of the information.
- Research, Public Health and Healthcare operations - For disclosures for research use, only the following 9 identifiers must be removed:
- name
- street address
- telephone and fax number
- e-mail addresses
- social security number
- certificate/license number
- vehicle identifiers and serial numbers
- URLs and IP addresses
- Full face photos
- A covered entity can re-identify any information that has been de-identified as long as two conditions are satisfied. If the conditions are satisfied, a covered entity may use a code or some other method of recordation. First, the code or method of recordation cannot be derived from or related to information about the individual that would enable identification of the individual. Second, the covered entity cannot use or disclose either the code or other method of recordation or the mechanism for any other purpose or disclosure of the method for re-identification.
ATTACHMENT 2
DISCLOSURE OF PROTECTED HEALTH INFORMATION (PHI)
NO AUTHORIZATION REQUIRED
| RowanSOM may disclose Protected Health Information (PHI) for public health activities as follows:
|
2. Victims of Abuse, Neglect, or Domestic Violence | In addition, RowanSOM may disclose PHI to a government authority about individuals reasonably believed to be victims of abuse, neglect, or domestic violence. Such disclosures involving adults are permitted if:
RowanSOM must promptly inform the individual of such report unless the provider believes informing the individual would place the individual at risk of serious harm or the provider would be informing a personal representative that the covered entity believes is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interest of the individual. |
3. Health oversight activities | RowanSOM may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for the appropriate oversight of
RowanSOM may not disclose PHI under this section if an investigation or other activity relates to an individual but does not arise out of and is not directly related to:
|
4. Judicial and administrative proceedings | The RowanSOM Office of Legal Management will respond to all judicial and administrative proceedings. The Office of Legal Management will review the requests and either responds to the issuer of the request or advice about compliance with the request. |
5. Law enforcement purposes | RowanSOM may disclose PHI to a law enforcement official if:
All requests for disclosure of PHI by a law enforcement official must be referred to Legal Management for review prior to disclosure. |
6. Deceased Individuals | The PHI of a deceased individual may be disclosed without the personal representative's permission for three specific reasons that would not apply to living persons:
Otherwise, health records of deceased persons are protected as that of a living person and for up to 50 years after the pronouncement date. |
7. Organ Donation | RowanSOM may disclose PHI to organ procurement organizations or other entities engaged in procurement, banking, or transplantation of cadaveric organs, eyes or tissues for the purpose of facilitating organ, eye, or tissue donation and transplantation. |
8. Research Purposes |
|
9. Emergency Circumstances to Avert Threats to Safety | RowanSOM may, consistent with applicable law and standards of ethical conduct and based on a reasonable belief that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual, use or disclose PHI to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.
|
ATTACHMENT 3
TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
- "Treatment" - the provision, coordination, or management of health care and related services by one or more health care providers, includes:
- the coordination or management of health care by a health care provider with a third party;
- consultation between health care providers relating to a patient; or
- the referral of a patient for health care from one health care provider to another.
- "Payment" - the activities undertaken to obtain payment for the provision of healthcare; and relates to the individual to whom health care is provided and includes, but is not limited to:
- Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
- Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
- Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity.
- Debt collection is recognized as a payment activity.
- Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
- Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; an
- Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of reimbursement:
- Name and address;
- Date of Birth;
- Social Security Number;
- Payment history;
- Account number; and
- Name and address of the health care provider and/or health plan.
- Health Care Operations" - any of the following activities:
- Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contracting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care providers, accreditation, certification, licensing, or credentialing activities;
- Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
- Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
- Business management and general administrative activities of Rowan University School of Medicine, including, but not limited to:
- Resolution of internal grievances;
- Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.