ROWAN UNIVERSITY POLICY
Title: Uses and Disclosures of Protected Health Information: With and Without Authorization
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI: 2013: P03
Applies: RowanSOM
Issuing Authority: Rowan President & RowanSOM Dean
Responsible Authority: RowanSOM Chief Compliance and Privacy Officer & Rowan Security Officer
Adopted:
...
01/31
...
/2003
Amended:
...
07/01/2013
Reviewed:
...
01/12
...
/2015
I.
...
PURPOSE
To establish the requirement for Rowan School of Osteopathic Medicine (RowanSOM) uses and disclosures of individually identifiable protected health information (PHI) to be in conformance with state and federal regulations. This policy clarifies when an authorization is or is not required and/or clarifies when an opportunity to agree or disagree must be provided regarding the use and disclosure of protected health information. It establishes the necessary elements that must be included in these authorizations, and the extent of the information that may be used or disclosed.
II.
...
ACCOUNTABILITY
Under the direction of the President, the Dean, Executive Vice President of Administration and Strategic Planning, Executive Vice President for Academic and Clinical Affairs, General Counsel, Chief Compliance and Privacy Officer, Vice President for Finance and CFO and the Vice President for Supply Chain Management shall ensure compliance with this policy.
III.
...
APPLICABILITY
A. This policy applies to health information, including demographic information collected from an individual, whether oral or recorded in any form or medium, only when it meets the following conditions:
...
B. This policy does not apply to health information in education records covered under the Federal Education Right and Privacy Act (FERPA), 20 USC 1232g; and records under FERPA at 20 USC 1232g(a)(4)(B)(iv). See University policy, Family Educational Rights and Privacy Act, 00-01-25-05:00.
IV.
...
REFERENCES
A. 45 CFR 164.508 Code of Federal Regulations, Title 45, Part 164, Section 508, Security and Privacy, Uses and disclosures for which an authorization is required.
...
F. Common Rule and FDA's Human Subject Protection Regulations
V.
...
POLICY
A. RowanSOM and all its units shall appropriately protect the privacy of PHI that can identify an individual in compliance with federal and state law.
...
- Each unit will verify the identity and authority of persons requesting PHI. Verification procedures should be reflected in policies and procedures accordingly.
- If the requesting person is a public official or someone acting on his or her behalf, units may rely upon the following:
- Agency identification badge, credentials or other proof of status;
- Government letterhead, if request is by letter;
- A written statement of the legal authority (or, if impracticable, an oral statement) under which the information is requested.
- If a request is made pursuant to a legal process, warrant, subpoena, order, or other legal process, it is presumed to constitute legal authority.
- For persons acting on behalf of the official, a written statement on government letterhead or other evidence or documentation that establishes that the person is acting under the public official's authority (such as contract for services, memo of understanding). In this event, units must contact the Office of Legal Management to inform of such request by Public Officials.
- A unit may rely on the exercise of professional judgment as to disclosures pursuant to facility directories, to persons involved in a patient's care or payment and notification, and in relation to disaster relief as discussed in section V.F.3 and as to disclosures regarding serious threats to health and safety as discussed in attachment B.
VI.
...
ATTACHMENTS
A. Attachment 1 - , List of Identifiers and De-Identification Process
B. Attachment 2 - , Disclosures of PHI No Authorization Required
C. Attachment 3 - , Treatment, Payment and Health Care Operations
D. Attachment 4 - HYPERLINK, Hyperlink
By Direction of the President:
...
Signature on file
Rowan Security Officer
ATTACHMENT 1
LIST OF IDENTIFIERS AND DE-IDENTIFICATION PROCESS
A. RowanSOM may use protected health information (PHI) where information that can identify the individual not present and where RowanSOM has no reasonable basis to believe that information can be used to identify the individual. RowanSOM can create de-identified information by removing, coding, encrypting, or otherwise eliminating or concealing the following information regarding the individual, relatives, employers, or household members:
...
C.A covered entity can re-identify any information that has been de-identified as long as two conditions are satisfied. If the conditions are satisfied, a covered entity may use a code or some other method of recordation. First, the code or method of recordation cannot be derived from or related to information about the individual that would enable identification of the individual. Second, the covered entity cannot use or disclose either the code or other method of recordation or the mechanism for any other purpose or disclosure of the method for re-identification.
ATTACHMENT 2
DISCLOSURE OF PROTECTED HEALTH INFORMATION (PHI)
NO AUTHORIZATION REQUIRED
1.Public Health Activities | RowanSOM may disclose Protected Health Information (PHI) for public health activities as follows:
|
2.Victims of Abuse, Neglect, or Domestic Violence | In addition, RowanSOM may disclose PHI to a government authority about individuals reasonably believed to be victims of abuse, neglect, or domestic violence. Such disclosures involving adults are permitted if:
RowanSOM must promptly inform the individual of such report unless the provider believes informing the individual would place the individual at risk of serious harm or the provider would be informing a personal representative that the covered entity believes is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interest of the individual. |
3.Health oversight activities | RowanSOM may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for the appropriate oversight of
RowanSOM may not disclose PHI under this section if an investigation or other activity relates to an individual but does not arise out of and is not directly related to:
|
4.Judicial and administrative proceedings | The RowanSOM Office of Legal Management will respond to all judicial and administrative proceedings. The Office of Legal Management will review the requests and either responds to the issuer of the request or advice about compliance with the request. |
5.Law enforcement purposes | RowanSOM may disclose PHI to a law enforcement official if:
All requests for disclosure of PHI by a law enforcement official must be referred to Legal Management for review prior to disclosure. |
6. Deceased Individuals | The PHI of a deceased individual may be disclosed without the personal representative's permission for three specific reasons that would not apply to living persons:
Otherwise, health records of deceased persons are protected as that of a living person and for up to 50 years after the pronouncement date. |
7.Organ Donation | RowanSOM may disclose PHI to organ procurement organizations or other entities engaged in procurement, banking, or transplantation of cadaveric organs, eyes or tissues for the purpose of facilitating organ, eye, or tissue donation and transplantation. |
8.Research Purposes |
|
9.Emergency Circumstances to Avert Threats to Safety | RowanSOM may, consistent with applicable law and standards of ethical conduct and based on a reasonable belief that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual, use or disclose PHI to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.
|
ATTACHMENT 3
TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
A. "Treatment" - the provision, coordination, or management of health care and related services by one or more health care providers, includes:
...
- Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contracting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care providers, accreditation, certification, licensing, or credentialing activities;
- Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
- Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
- Business management and general administrative activities of Rowan University School of Medicine, including, but not limited to:
- Resolution of internal grievances;
- Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.