University Policies

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Raghu, Rachana

Saved on

compared with

New Version 9

changes.mady.by.user Unknown User (kanchia1)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ROWAN UNIVERSITY POLICY

Title: Standards for Privacy of Individually Identifiable Health Information

Subject: Office of Compliance & Corporate Integrity (OCCI)

Policy No: OCCI:2013:P01

Applies: RowanSOM

Issuing Authority: President

Responsible Authority: RowanSOM Chief Compliance & Privacy Officer & Rowan Security Officer

Adopted: 01/27/2003

Amended: 07/01/2013

Reviewed: 01/12/2015

I. PURPOSE

To ensure Rowan School of Osteopathic Medicine (RowanSOM) compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and Omnibus Privacy Final Rule of 2013 and to establish standards for Privacy of Individually Identifiable Health Information.

II. ACCOUNTABILITY

Under the direction of the President, the Executive Vice President for Academic and Clinical Affairs, the Deans, Chief Compliance & Privacy Officer, Vice President for Administration, General Counsel, Vice President for Research, Vice President for Finance and Treasurer, Vice President for Human Resources and the Vice President, Supply Chain Management shall ensure compliance with this policy.

III. APPLICABILITY

This policy shall apply to health information that is generated during provisions of health care services to patients in any of RowanSOM’s patient care units, patient care centers or faculty practices as well as Human Subjects research under the auspices of RowanSOM or by any of its agents in all RowanSOM, departments and RowanSOM owned or operated facilities.

IV. REFERENCES

A. 45 CFR, 160, Code of Federal Regulations, Title 45, Part 160, Subpart C, General Administrative Requirements, Compliance and Enforcement

...

H. Omnibus Privacy Final Rule of 2013

V. POLICY

A. RowanSOM will implement and maintain a Privacy Program to assure compliance with state and federal laws and RowanSOM policies protecting the confidentiality of individually identifiable health information of its patients and/or Human Subjects. The Privacy Program will complement the Information Security policies of RowanSOM.

...

  1. RowanSOM’s Privacy Program will consist of the following elements:
    1. University-wide and Unit Privacy Liaisons
      1. The Chief Compliance & Privacy Officer will oversee the development, implementation and maintenance of RowanSOM’s Privacy Program. The Privacy Program will complement the Information Security policies of RowanSOM.
      2. Chief Compliance Officer will also serve as RowanSOM Privacy Officer. The Privacy Officer will be implementing the Privacy Program and University-wide policies and procedures within the schools/units, and overseeing the development, implementation and maintenance of school/unit or departmental privacy policies and procedures as appropriate.
      3. RowanSOM’s Institutional Review Boards (IRBs), will assure that informed consents include appropriate authorizations for disclosure or that authorization has been appropriately waived.
    2. School and Healthcare Unit Custodian of Medical Records
      1. The President and the Dean maintaining Protected Health Information (PHI), will appoint a Custodian of Medical Records.
      2. It will be the responsibility of the Custodian of Medical Records to assure that processes are in place at their unit, and subordinate work units, to implement and monitor compliance with the elements detailed in Section V.A.1.c., below.
    3. The Chief Compliance & Privacy Officer and with the assistance of appropriate Custodian of Medical Records, will direct that the following elements are developed, implemented and maintained in conformance with state and federal requirements, and are reflected in policies and procedures accordingly:
      1. Providing notice to patients of RowanSOM’s privacy practices for Protected Health Information (PHI);
      2. Protecting the confidentiality of uses and disclosures of PHI, including requiring appropriate authorizations, and/or an opportunity to agree or object when mandated by law for uses and disclosures of PHI;
      3. Implementing appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of PHI from unauthorized use or disclosure;
      4. Assuring that a written process is in place that allows individuals to restrict uses and disclosures of their health information. Rowan SOM, however, is not required to agree to such requests.
      5. Assuring that patients can receive communications of their health information by alternate means or alternate locations, if requested.
      6. Implementing a written process for maintaining and providing an accounting of RowanSOM’s uses and disclosures of PHI to requesting individuals to whom the information pertains.
      7. Assuring that a written process is in place that allows individuals to, access, inspect and/or obtain a copy their health information;
      8. Assuring that a process is in place that allows individuals to request that a unit amend their health information. RowanSOM, however, may deny requests under specified circumstances;
      9. The RowanSOM Chief Compliance & Privacy Officer will be the designated contact person for individuals seeking further information or clarification to the Unit’s health information policies, and privacy and patient rights requirements covered under the notice. RowanSOM’s Chief Compliance & Privacy Officer will be designated to receive complaints concerning RowanSOM and its compliance with health information privacy and patient rights requirements.
    4. All existing or new unit or departmental policies and procedures addressing any of the items in section V.A.1.c. above, or that concern the use or disclosure of PHI, and all consent/authorization forms for the disclosure of PHI, must be presented to RowanSOM’s Chief Compliance & Privacy Officer for review to assure compliance with RowanSOM policies, as well as state and federal requirements.
    5. The Chief Compliance & Privacy Officer will communicate periodically, with RowanSOM President or Dean on the status of all policies and procedures concerning PHI, the Privacy Program, including its implementation, training, any recommended changes or amendments. The Chief Compliance & Privacy Officer will handle any complaints or issues of non-compliance with RowanSOM or Corporate Compliance and Privacy policies.
    6. RowanSOM will promptly revise its policies and procedures related to the Privacy Program as discussed above as necessary and appropriate to comply with changes in the law. All policies and procedures will be reviewed periodically by the Chief Compliance & Privacy Officer to assure compliance with the laws, as well as for operational effectiveness. If the changes in the law also materially affect privacy practices stated in RowanSOM’s notice to patients regarding privacy practices (NPP), the notice must also be changed in a timely manner.
    7. All notices to patients concerning RowanSOM privacy practices must state that RowanSOM reserves the right to make changes in its privacy practices at any time.
  2. Education and Training
    1. The Chief Compliance & Privacy Officer will recommend training to refresh the RowanSOM workforce regarding the Privacy Program, policies and procedures and the regulatory requirements, as appropriate.
    2. The Office of Compliance and Corporate Integrity will take necessary efforts to offer new members of the workforce privacy training within 30 days of hire.
    3. The Chief Compliance & Privacy Officer will coordinate additional training of the workforce whose functions are affected by a material change in the policies and procedures within a reasonable period of time after the change becomes effective.
    4. Training provided will be appropriately documented and the documentation will be maintained by the Chief Compliance & Privacy Officer for a minimum of six (6) years or as specified by the New Jersey State Retention Schedule.
  3. Non-retaliation for exercise of Patient Rights
    RowanSOM will maintain in the Code of Conduct and other applicable policies and procedures that state intimidating, threatening, coercing, discriminating or taking other retaliatory action against the following is prohibited as outlined in the Notice of Rowan SOM Privacy Practices for Protected Health Information (NPP):
    1. Patients for exercising any right established by HIPAA privacy guidelines, 45 CFR 164, subpart E;
    2. Individuals and others for filing a complaint with the Secretary of Health and Human Services under 45 CFR 160, subpart C;
    3. Individuals and others for testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title XI; or
    4. Individuals or others for opposing any act or practice made unlawful by 45 CFR 164, subpart E, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of 45 CFR 164, subpart E.

...