Page History

...

Title: Disclosures of Personally Identifiable Health Information to Business Associates
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI:2013:P08
Applies: RowanSOM
Issuing Authority: Chief Audit, Compliance & Privacy Officer; Director of Information Security
Responsible Officer: Chief Audit, Compliance & Privacy Officer; Director of Information Security
Date Adopted: 07/01/2013
Last Revision: 03 01/2526/20202021
Last Reviewed: 0301/2526/20202021

I.    PURPOSE

To assure compliance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 2004, Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Omnibus Privacy Final Rule of 2013 in relation to disclosures of Protected Health Information (PHI) and to entering into contracts with business associates.

...

1. Attachment 1, Is a Person or Entity a "Business Associate" and Required to Enter Into a Written Business Associate Contract?
2. Attachment 2, Examples of Potential Business Associates
3. Attachment 3, Treatment, Payment and Health Care Operations
4. Attachment 4, Business Associates Agreement Involving the Access to Protected Health Information
5. Attachment 5, Hyperlink

By Direction of the President:

Signature on file

Chief Audit, Compliance and Privacy Officer

By Direction of the President:

Signature on file

Director of Information Security

...

Image Removed

...

(This is not an all-inclusive list, nor is every arrangement listed necessarily a business associate. Use the attached flowchart and policy and procedure to analyze whether the relationship is a business associate relationship under HIPAA. Contact Legal Management at 2-4705 for assistance in the analysis.)

...

Accountants

...

Accounting services and firms

...

Accreditation services

...

Actuarial services

...

Actuarial specialists

...

Adjudication services

...

Administrative services

...

Advertisers

...

Architects, builders, and contractors

...

Asset-based lenders to healthcare facilities

...

Attorneys

...

Auditors

...

Billing service companies

...

Bulk mailing services

...

Care management programs

...

Civic groups and other local groups help out on ad hoc basis with patients who are hospitalized for a traumatic event or complicated illness (e.g., Shrine Temples, Ronald McDonald House)

...

Coding providers and experts

...

Community health management information systems

...

Computer maintenance services and companies

...

Consulting services

...

Contract Research Organization – An entity used by pharmaceutical and device manufactures to monitor clinical research trials

...

Copy services

...

Data aggregation services

...

Device manufactures

...

Document storage and destruction vendors

...

Financial service companies

...

Government health data systems

...

Hardware vendors

...

Healthcare consultants (e.g., risk management, information technology, billing, coding and management)

...

Hospital associations (National and State)

...

HVAC vendors

...

Independent contractors

VIII. NON-COMPLIANCE AND SANCTIONS

Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules.  Civil and criminal penalties may be applied accordingly.  Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.

By Direction of the President:

Signature on file

Chief Audit, Compliance and Privacy Officer

By Direction of the President:

Signature on file

Director of Information Security

ATTACHMENT 1
Is a Person or Entity a "Business Associate" and 
Required to Enter Into a Written Business Associate Contract?

Image Added

ATTACHMENT 2 
Examples of Potential Business Associates 

(This is not an all-inclusive list, nor is every arrangement listed necessarily a business associate. Use the attached flowchart and policy and procedure to analyze whether the relationship is a business associate relationship under HIPAA. Contact Legal Management at 2-4705 for assistance in the analysis.)

ATTACHMENT 2 (continued) 
Examples of Potential Business Associates

ATTACHMENT 2 (continued) 
Examples of Potential Business Associates

...

1. "Treatment" - the provision, coordination, or management of health care and related services by one or more health care providers, including:
   1. the coordination or management of health care by a health care provider with a third party;
   2. consultation between health care providers relating to a patient; or
   3. the referral of a patient for health care from one health care provider to another. 
2. "Payment" - the activities undertaken to obtain payment for the provision of healthcare; and relates to the individual to whom health care is provided and includes, but is not limited to:
   
   1. Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
   2. Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
   3. Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity.
   4. Debt collection is recognized as a payment activity.
   5. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
   6. Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; and
   7. Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of reimbursement:
      1. Name and address;
      2. Date of Birth;
      3. Social Security Number;
      4. Payment history;
      5. Account number; and
      6. Name and address of the health care provider and/or health plan.
3. "Health Care Operations" - any of the following activities:
   1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contracting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
   2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care providers, accreditation, certification, licensing, or credentialing activities;
   3. Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
   4. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
   5. Business management and general administrative activities of Rowan University, including, but not limited to:
      1. Resolution of internal grievances;
      2. Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.

ATTACHMENT 4

Business Associates Agreement Involving the Access to Protected Health Information 

...

Vendor: ___________________________________________

ATTACHMENT 4
RowanSOM BAA-2019.doc 

ATTACHMENT 5

HYPERLINK

...