University Policies

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Alburger, Katherine A

Saved on

compared with

New Version 11

changes.mady.by.user Alburger, Katherine A

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ROWAN UNIVERSITY POLICY


Title: Uses and Disclosures of Protected Health Information: With and Without Authorization
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI: 2013:P04
Applies: RowanSOM
Issuing Authority: President
Responsible AuthorityOfficer: RowanSOM Chief  Chief Audit, Compliance & Privacy Officer; Rowan Director of Information Security
Date Adopted:  07/01/31/2003
Amended: 08/08/2018
Reviewed: 08/08/20182013
Last Revision: 04/01/2020
Last Reviewed: 04/01/2020


I. PURPOSE

To establish the requirement for Rowan University School of Osteopathic Medicine (RowanSOM) uses and disclosures of individually identifiable protected health information (PHI) to be in conformance with state and federal regulations. This policy clarifies when an authorization is or is not required and/or clarifies when an opportunity to agree or disagree must be provided regarding the use and disclosure of protected health information. It establishes the necessary elements that must be included in these authorizations, and the extent of the information that may be used or disclosed.

...

Under the direction of the President, the Dean, Executive Senior Vice President for Academic and Clinical Affairs, General Counsel, Chief Audit, Compliance & Privacy Officer, Vice President for Finance and Treasurer and the Vice President for Supply Chain Management shall ensure compliance with this policy.

...

  1. This policy applies to health information, including demographic information collected from an individual, whether oral or recorded in any form or medium, only when it meets the following conditions:

    1. It is created or received by any unit or department of RowanSOM acting in the capacity of a health care provider, health plan, employer or health care clearing house.

    2. It relates to a past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or payment for the provision of health care.
    3. It can identify the patient, or there is a reasonable basis to believe that it can be used to identify an individual. Health information is considered not individually identifiable under the following two conditions:
      1. Where the risk is very small that the information could be used to identify the individual. Risk is determined by using generally accepted and documented statistical and scientific principles and methods; and
      2. Where all identifying information is removed. See Attachment A 1 for a list of 18 identifiers that must be removed regarding the individual, relatives, employer and other household members to de-identify health information.
  2. This policy does not apply to health information in education records covered under the Federal Education Right and Privacy Act (FERPA), 20 USC 1232g; and records under FERPA at 20 USC 1232g(a)(4)(B)(iv). See University policy, Family Educational Rights and Privacy Act, 00-01-25-05:00.

...

  1.  RowanSOM and all its units shall appropriately protect the privacy of PHI that can identify an individual in compliance with federal and state law.   
  2.  RowanSOM will not use or disclose PHI without a valid authorization by the individual unless it is permitted under the following circumstances and is in accordance with state and federal law and this policy:
    1. When requested by the Secretary of the United States Department of Health and Human Services (DHH) to investigate or determine compliance with the privacy standard;
    2. When the disclosure is to the individual to whom the PHI pertains, or a legal personal representative, including requests for accounting or access to inspect or copy;
    3. To carry out treatment, payment or healthcare operations (TPO);
    4. Where an opportunity to agree or to object has been afforded to the individual and the individual does not object to the use and disclosure of PHI in the following circumstances:
      1. To include the individual in facility directories,
      2. To family and friends involved with the individual’s care or payment related to the individual’s healthcare, or
      3. To disaster relief agencies to coordinate the notification of family and friends regarding the individual’s location, condition, or death;
    5. Under the following circumstances when the use or disclosure meets the conditions and requirements detailed in Attachment B 2 and in accordance with federal and any stricter state law:
      1. For public health activities as discussed under 45 CFR 164.512(b);
      2. To governmental authorities about victims of abuse, neglect and domestic violence under the conditions discussed in 45 CFR 164.512(c);
      3. To health oversight agencies for oversight activities authorized by law;
      4. For judicial and administrative proceedings under the conditions discussed in 45 CFR 164.512(e);
      5. To law enforcement officials for certain law enforcement purposes under the conditions discussed in 45 CFR 164.512(f);
      6. To coroners and medical examiners for the purpose of identifying a deceased person or cause of death, or other duties authorized by law; and to funeral directors to carry out their duties;
      7. For cadaveric organ, eye or tissue donation;
      8. For research purposes when the Institutional Review Board approved an alteration to or waiver of the individual authorization requirement in compliance with 45 CFR 164.512(i) and appropriate representations and documentation regarding the use and disclosure is obtained from the researcher in accordance with 45 CFR 164.512(i);
      9. To avert a serious threat to health or safety of a person or the public;
      10. For specialized government functions including military and veterans activities; for protective services to the President of the USA; for national security activities; and to a correctional institution or law enforcement official about a lawfully detained individual under certain conditions;
      11. To the extent that the use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law;
      12. To report health care fraud;
      13. To other health care entities for their treatment, payment and operational purposes (see Attachment C3).
    6. When the information has been de-identified and there is no actual knowledge by Rowan SOM RowanSOM that any of the remaining information could identify the individual. See Attachment A 1 for the 18 pieces of information that must be removed to qualify as de-identified information.
  3. RowanSOM will comply with stricter state and federal law that affords greater protection to privacy rights as they relate to the privacy of individuals including but not limited to treatment for drug and alcohol use, HIV/AIDS, and mental health.
  4. For psychotherapy notes, a valid authorization must be obtained for any use and disclosure except under the following circumstances.
    1. For TPO of or by RowanSOM, only the following uses and disclosures are authorized:
      1. By the originator of the psychotherapy notes for treatment, but may not disclose it to anyone else;
      2. By the unit in training programs in which students, trainees, or practitioners in mental health learn or improve counseling skills; or
      3. By the unit to defend a legal action or other proceeding brought by the individual.
    2. To the extent that it is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
    3. To health oversight agencies with respect to the oversight of the originator of the psychotherapy notes only;
    4. To coroners, medical examiners for the purpose of identifying a deceased person or cause of death, or other duties authorized by law; and to funeral directors to carry out their duties.
    5. To prevent or lessen a serious and imminent threat to the safety of a person or the public, unless information obtained in treatment initiated by the individual 45 CFR164.512 (i).
  5. Uses and Disclosures for Treatment, Payment and Health Care Operations (TPO)
    1. RowanSOM workforce may use and disclose PHI necessary for treating patients, obtaining payment for items and services, and conducting administrative and operational tasks as necessary to provide health care services as defined in Attachment B2.
    2. Members outside of the workforce (business associates) that provide certain functions, activities, or services for or to RowanSOM involving uses and disclosures of PHI in order to help RowanSOM carry out its health care functions, other than for treatment purposes, must enter into Business Associate Contracts with RowanSOM prior to their access to such information. The Vice President for Supply Chain Management shall be responsible for communicating and enforcing this section to vendors, independent contractors, business associates, etc.
    3. Patients may request restrictions on the uses or disclosures of health information for TPO. RowanSOM need not agree to the restriction requested, but will be bound by any restriction to which it agrees, only after the individual patient pays in full, prior to the initiation of the service(s)[164.522]. Any agreement to restrict must be appropriately documented on the Request for Restriction Form which can be accessed at the following website: https://www.rowan.edu/compliance
      and kept in the medical record, such restrictions must be clearly indicated on the face of the chart or somewhere obvious to anyone accessing the chart.
    4. The following types of operational activities may require a valid authorization:
      1. Marketing activities require an authorization prior to RowanSOM use and disclosure.
        1. Marketing includes any communication where the effect of the communication is to encourage recipients to purchase or use the product or service.
        2. Marketing does not constitute communications in the course of managing the treatment of the individual for purposes of "case management" and "care coordination."
        3. Authorizations for marketing along with the core elements discussed below must include the statement that the marketing is expected to result in direct or indirect remuneration to RowanSOM from the third party, if true.
        4. Exception: Face to face communications made by RowanSOM to the individual does not require an authorization.
      2. Fundraising activities: Only the following PHI may be disclosed without authorization to an institutionally related foundation for the purposes of raising funds for RowanSOM’s own benefit (if the foundation is run by non-Rowan SOM RowanSOM entity, a business approved limited data set agreement must be in place):
        1. Demographic information relating to an individual; and
        2. Dates of health care provided to an individual.
      3. RowanSOM must include in any fundraising materials a description of how the individual may opt out of receiving future communications; and RowanSOM must make sure those individuals who opt out do not receive any future communications.
      4. Research activities require a written authorization unless there is written documentation that the IRB either waived or altered the requirement. See Attachment B 2 under "Research" for requirements and specifications under which an authorization would not be required.
  6. Opportunity to Agree or Object
    1. In the following three (3) circumstances, PHI may be disclosed without an authorization as long as the patient is given an opportunity to agree or object. Units must establish a process to document that opportunity was afforded and if the individual objected.
      1. Facility Directories
        1. During registration process in units that utilize facility directories, all patients must be told that the information about them will be placed in the facility directory to provide information to friends, family, clergy and the press if requested and that they may object or request restrictions.
        2. The information that may be included in the directory is as follows:
          1. the patient’s name;
          2. the patient’s location;
          3. the patient’s condition, as undetermined, good, fair, serious or critical; and
          4. the patient’s religious affiliation.
      2. Specific medical information about the individual may not be included.
      3. Patients may agree or object orally or in writing. Each unit however should document the notification and response on a log sheet or in some other manner so as to be able to ascertain the patient’s previous preference in a future visit where an opportunity to object may not practicably be provided.
      4. In emergency situations involving patient incapacity, where the opportunity to object cannot practicably be provided, the patient’s most recent preference, if known, will be honored upon a determination by the attending physician or house supervisor that the disclosure is in the best interest of the patient.
      5. No directory information will be disclosed unless asked by name, except to members of the clergy.
    2. To Persons involved in a Patient’s Care or Payment
      1. PHI may be disclosed to a family member, a personal representative of the individual or another person when:
        1. That information is relevant to such person’s involvement with the individual’s care or payment related to such care, or
        2. To notify (or assist in the notification of) such persons of the individual’s location, general condition or death, and
        3. When section V.F.2.b. and section V.F.2.c. are complied with.
      2. If the individual is present and has the capacity to make healthcare decisions, the unit may use or disclose the PHI only if it:
        1. Obtains the individual’s agreement;
        2. Provides the individual the opportunity to object and the individual does not object; or
        3. Can be reasonably inferred from the circumstances, using professional judgment that the individual does not object to the disclosure.
      3. If the individual is not present, due to an incapacity or emergency circumstance, the unit may disclose only if:
        1. The PHI is directly relevant to the person’s involvement with the individual’s health care, and it is in the individual’s best interest.
        2. Units may use professional judgment and experience with common practice to make reasonable inferences regarding the individual’s best interest in allowing a person to act on behalf of the individual to “pick up filled prescriptions, medical supplies, X-rays, or other similar forms of PHI.”
    3. Disaster Relief Efforts
      1. PHI may be used or disclosed to a public or private entity authorized by law or by its charter to assist in disaster relief efforts. The above rules for use and disclosure of PHI for involvement in an individual’s care and notification (depending upon whether the individual is present or not) apply as long as they do not interfere with the public or private entity’s ability to respond to a disaster relief situation.
  7. Authorizations
    1. Units may use and disclose PHI when a valid authorization is obtained.
    2. For requests for authorization initiated by RowanSOM, all units must use RowanSOM's standardized authorization form, Authorization for Release of Information, which can be accessed at the following website: http://www.rowan.edu/compliance/documents/ROWANAuthorizationforReleaseForm.pdf.
    3. All sections must be complete. Changes or variations to the authorization forms must be approved by RowanSOM’s the Chief Audit, Compliance & Privacy Officer in the Office of Compliance & Corporate Integrity. Treatment may not be conditioned on obtaining the authorization (unless related to approve research clinical trial).
    4. If the authorization was received from the individual or third party, determine the validity of the authorization. The following elements must be present:
      1. A description of the specific information to be used or disclosed.
      2. Name of the specific person or entity authorized to disclose the information.
      3. Name of the specific person or entity to whom RowanSOM may make the requested use or disclosure and, if information is to be mailed, the address of the person or entity.
      4. The date, event or condition upon which the authorization will expire.
      5. The individual’s signature and date.
      6. A description of the personal legal representative's authority to sign, if applicable.
      7. A description of the purpose of the disclosure. (Not required if the individual requests disclosure for own use).
      8. A statement in which the individual acknowledges that he or she has the right to revoke the authorization, instructions on how to exercise such right or to the extent the information is included in the covered entity's notice, a reference to the notice.
      9. A statement that treatment may not be conditioned on obtaining the authorization, unless it is research related and disclosure of the information is for the particular research study. For purposes of research, where treatment may be conditioned on obtaining the authorization, a statement about the consequences of refusing to sign the authorization.
      10. A statement in which the individual acknowledges that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by federal privacy law.
      11. If the authorization is for marketing purposes and the marketing is expected to result in direct or indirect remuneration to RowanSOM from a third party, a statement of this fact.
      12. If the disclosure requested involves mental health information, the authorization must also include the following:
        1. The specific purposes for which the information may be used, both at the time of disclosure and any time in the future; and
        2. That the patient is aware of the statutory privilege accorded to confidential communications between a patient and a licensed psychologist and psychiatrist.
    5. Defective Authorizations
      1. An “authorization” is not considered valid if it has any of the following defects:
        1. The expiration date has passed.
        2. The form has not been filled out completely.
        3. The authorization is known by RowanSOM to have been revoked.
        4. The form lacks any required element.
        5. The information on the form is known by RowanSOM to be false.
        6. Treatment was conditioned upon obtaining the authorization (except for research purposes).
    6. Legal Representatives
      1. If the authorization is signed by a legal representative or other person authorized to act for the individual, the request must be accompanied by documentation of the representative’s legal authority to act on behalf of the individual.
    7. Revocation of Authorization.
      1. A patient who has executed an authorization for disclosure or use of individual health information may revoke the authorization at any time by sending a written notice to Rowan University as described in RowanSOM’s Notice of Privacy Practices.
        1. The written notice must refer to the specific authorization being revoked (e.g., “my authorization of January 27, 2002”) and be signed and dated by the individual or his or her legal representative.
        2. The revocation becomes effective upon receipt by RowanSOM, with the exception of uses or disclosures made by RowanSOM prior to receipt.
    8. For Research-Related Health Information
      1. The core elements of an authorization as described below may be combined with the informed consent to participate in the research.
      2. Rowan University may condition the provision of research related treatment (related to the clinical trial) on obtaining authorization.
      3. RowanSOM may use and disclose for a specific research study, PHI that is created or received before and after HIPAA's compliance date (April 14, 2003), and/or prior to the new authorizations being implemented, as long as some other express legal permission to use and disclose the information for the research study was obtained.
      4. Archived information may continue to be used and disclosed for the research study if an individual had originally signed an informed consent to participate in the research study, or IRB waived informed consent, in accordance with the Common Rule or FDA's human subject protection regulations.
      5. An accounting of all disclosures made under an authorization must be documented and maintained. See University policy, Accounting of Disclosures of Health Information.
  8. Extent of the Information That May be Used and Disclosed.
    1. For disclosures made under a valid authorization, disclose the information to the extent specified in the authorization.
    2. Absent an authorization, each unit must make reasonable effort to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary rule does not apply to the following circumstances:
      1. Disclosures to or requests by a health care provider for treatment purposes.
      2. Disclosures to the individual or personal legal representative, who is the subject of the information.
      3. Uses and disclosures made pursuant to an authorization.
      4. Uses or disclosures required for compliance with the standardized HIPAA electronic transactions.
      5. Disclosures to the Department of Health and Human Services when disclosure of information is required under HIPAA for enforcement purposes.
      6. Uses and disclosures that are required by law.
    3. Each unit must make an assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of the unit's business practices and workforce, and to implement policies and procedures accordingly. Policies and procedures should address the following:
      1. Internal use by the unit’s workforce for uses other than for treatment purposes. Identify the persons or classes of persons within the workforce who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access.
      2. Routine and recurring disclosures to third parties. Limit the PHI to the minimum amount reasonably necessary to achieve the purpose of the disclosure.
      3. Non-routine disclosures to third parties. Criteria must be developed that limit the disclosure of PHI to the minimum information reasonably necessary to accomplish the purpose for which disclosure is sought. Requests for disclosures must be reviewed on a case-by-case basis in accordance with such criteria. Units may rely (if such reliance is reasonable) on a requested disclosure being the minimum necessary for the stated purpose when:
        1. The covered entity is making disclosures to a public official where no authorization or consent is required, and the public official represents that the information requested is the minimum necessary;
        2. The information is requested by another health care provider, health plan or health care clearing house covered under HIPAA;
        3. The information is requested by a professional who is a member of RowanSOM’s workforce or business associate for the purpose of providing professional services to RowanSOM, if the professional represents that the information requested is the minimum necessary for the stated purpose; or
        4. Documentation or representations are made that comply with the requirements of 45 CFR 164.512(i) (regarding uses and disclosures involving research).
  9. Verification Requirement
    1. Each unit will verify the identity and authority of persons requesting PHI. Verification procedures should be reflected in policies and procedures accordingly.
    2. If the requesting person is a public official or someone acting on his or her behalf, units may rely upon the following:
      1. Agency identification badge, credentials or other proof of status;
      2. Government letterhead, if request is by letter;
      3. A written statement of the legal authority (or, if impracticable, an oral statement) under which the information is requested.
      4. If a request is made pursuant to a legal process, warrant, subpoena, order, or other legal process, it is presumed to constitute legal authority.
      5. For persons acting on behalf of the official, a written statement on government letterhead or other evidence or documentation that establishes that the person is acting under the public official's authority (such as contract for services, memo of understanding). In this event, units must contact the Office of Legal Management to inform of such request by Public Officials.
    3. A unit may rely on the exercise of professional judgment as to disclosures pursuant to facility directories, to persons involved in a patient’s care or payment and notification, and in relation to disaster relief as discussed in section V.F.3. and as to disclosures regarding serious threats to health and safety as discussed in Attachment  B2.

VI. ATTACHMENTS

  1. Attachment 1, List of Identifiers and De-Identification Process
  2. Attachment 2, Disclosures of PHI No Authorization Required
  3. Attachment 3, Treatment, Payment and Health Care Operations

...

__________________________________________
RowanSOM Chief Audit, Compliance and Privacy Officer

...