...
Title: Disclosures of Personally Identifiable Health Information to Business Associates
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI:2013:P08
Applies: RowanSOM
Issuing Authority: Chief Audit, Compliance & Privacy Officer; Director of Information Security
Responsible Officer: Chief Audit, Compliance & Privacy Officer; Director of Information Security
Date Adopted: 07/01/2013
Last Revision: 03 01/2526/20202021
Last Reviewed: 0301/2526/20202021
I. PURPOSE
To assure compliance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 2004, Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Omnibus Privacy Final Rule of 2013 in relation to disclosures of Protected Health Information (PHI) and to entering into contracts with business associates.
...
- Attachment 1, Is a Person or Entity a "Business Associate" and Required to Enter Into a Written Business Associate Contract?
- Attachment 2, Examples of Potential Business Associates
- Attachment 3, Treatment, Payment and Health Care Operations
- Attachment 4, Business Associates Agreement Involving the Access to Protected Health Information
- Attachment 5, Hyperlink
By Direction of the President:
Signature on file
Chief Audit, Compliance and Privacy Officer
By Direction of the President:
Signature on file
Director of Information Security
...
...
(This is not an all-inclusive list, nor is every arrangement listed necessarily a business associate. Use the attached flowchart and policy and procedure to analyze whether the relationship is a business associate relationship under HIPAA. Contact Legal Management at 2-4705 for assistance in the analysis.)
...
Accountants
...
Accounting services and firms
...
Accreditation services
...
Actuarial services
...
Actuarial specialists
...
Adjudication services
...
Administrative services
...
Advertisers
...
Architects, builders, and contractors
...
Asset-based lenders to healthcare facilities
...
Attorneys
...
Auditors
...
Billing service companies
...
Bulk mailing services
...
Care management programs
...
Civic groups and other local groups help out on ad hoc basis with patients who are hospitalized for a traumatic event or complicated illness (e.g., Shrine Temples, Ronald McDonald House)
...
Coding providers and experts
...
Community health management information systems
...
Computer maintenance services and companies
...
Consulting services
...
Contract Research Organization – An entity used by pharmaceutical and device manufactures to monitor clinical research trials
...
Copy services
...
Data aggregation services
...
Device manufactures
...
Document storage and destruction vendors
...
Financial service companies
...
Government health data systems
...
Hardware vendors
...
Healthcare consultants (e.g., risk management, information technology, billing, coding and management)
...
Hospital associations (National and State)
...
HVAC vendors
...
Independent contractors
VIII. NON-COMPLIANCE AND SANCTIONS
Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules. Civil and criminal penalties may be applied accordingly. Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.
By Direction of the President:
Signature on file
Chief Audit, Compliance and Privacy Officer
By Direction of the President:
Signature on file
Director of Information Security
ATTACHMENT 1
Is a Person or Entity a "Business Associate" and
Required to Enter Into a Written Business Associate Contract?
ATTACHMENT 2
Examples of Potential Business Associates
(This is not an all-inclusive list, nor is every arrangement listed necessarily a business associate. Use the attached flowchart and policy and procedure to analyze whether the relationship is a business associate relationship under HIPAA. Contact Legal Management at 2-4705 for assistance in the analysis.)
Accountants |
Accounting services and firms |
Accreditation services |
Actuarial services |
Actuarial specialists |
Adjudication services |
Administrative services |
Advertisers |
Architects, builders, and contractors |
Asset-based lenders to healthcare facilities |
Attorneys |
Auditors |
Billing service companies |
Bulk mailing services |
Care management programs |
Civic groups and other local groups help out on ad hoc basis with patients who are hospitalized for a traumatic event or complicated illness (e.g., Shrine Temples, Ronald McDonald House) |
Coding providers and experts |
Community health management information systems |
Computer maintenance services and companies |
Consulting services |
Contract Research Organization – An entity used by pharmaceutical and device manufactures to monitor clinical research trials |
Copy services |
Data aggregation services |
Device manufactures |
Document storage and destruction vendors |
Financial service companies |
Government health data systems |
Hardware vendors |
Healthcare consultants (e.g., risk management, information technology, billing, coding and management) |
Hospital associations (National and State) |
HVAC vendors |
Independent contractors |
ATTACHMENT 2 (continued)
Examples of Potential Business Associates
Independent service organizations (ISO) offering clinical/biomedical engineering services |
Insurance brokers |
Interpreter services (both deaf and foreign language) |
Janitorial services; waste disposal and recycling services and companies |
Law firms, its staff and employees |
Lobbyists |
Mailing houses |
Maintenance contractors |
Management services |
ATTACHMENT 2 (continued)
Examples of Potential Business Associates
Independent service organizations (ISO) offering clinical/biomedical engineering services |
Insurance brokers |
Interpreter services (both deaf and foreign language) |
Janitorial services; waste disposal and recycling services and companies |
Law firms, its staff and employees |
Lobbyists |
Mailing houses |
Maintenance contractors |
Management services |
Marketing services or firms |
Medical equipment testing/ repair services |
Medical or Physician associations (National and State) |
Medical record moving companies |
Medical record storage companies |
Medical record transcription services |
Medical software vendors |
Microfilm conversion providers |
Organ and Tissue Banks |
Organ procurement organization |
Outsourced document shredders |
Patient advocates |
Pharmaceutical companies |
Pharmaceutical manufacturers |
Pharmaceutical representatives |
Plasma Donor Centers |
Printing companies (ID cards and other member materials) |
Private health data systems |
Professional liability insurance carriers |
Recycling services and companies |
Software vendors |
Sperm Banks |
Temporary Staffing Companies |
Third-party administrators |
Trade associations |
Utilization management vendors |
Value added networks |
Vendors to business associates if involving the disclosure of independently identifiable health information |
Waste disposal services and companies |
...
- "Treatment" - the provision, coordination, or management of health care and related services by one or more health care providers, including:
- the coordination or management of health care by a health care provider with a third party;
- consultation between health care providers relating to a patient; or
- the referral of a patient for health care from one health care provider to another.
- "Payment" - the activities undertaken to obtain payment for the provision of healthcare; and relates to the individual to whom health care is provided and includes, but is not limited to:
- Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
- Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
- Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity.
- Debt collection is recognized as a payment activity.
- Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
- Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; and
- Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of reimbursement:
- Name and address;
- Date of Birth;
- Social Security Number;
- Payment history;
- Account number; and
- Name and address of the health care provider and/or health plan.
- "Health Care Operations" - any of the following activities:
- Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contracting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care providers, accreditation, certification, licensing, or credentialing activities;
- Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
- Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
- Business management and general administrative activities of Rowan University, including, but not limited to:
- Resolution of internal grievances;
- Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.
ATTACHMENT 4
Business Associates Agreement Involving the Access to Protected Health Information
...
Vendor: ___________________________________________
ATTACHMENT 4
RowanSOM BAA-2019.doc
View file | ||||
---|---|---|---|---|
|
ATTACHMENT 5
HYPERLINK
...