Title: Uses and Disclosures of Protected Health Information: With and Without Authorization
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI: 2013:P04
Issuing Authority: President
Responsible Officer: Chief Audit, Compliance & Privacy Officer; Director of Information Security
Date Adopted: 07/01/2013
Last Revision: 04 01/0126/20202021
Last Reviewed: 04 01/0126/20202021
I. PURPOSE PURPOSE
To establish the requirement for Rowan University School of Osteopathic Medicine (RowanSOM) uses and disclosures of individually identifiable protected health information (PHI) to be in conformance with state and federal regulations. This policy clarifies when an authorization is or is not required and/or clarifies when an opportunity to agree or disagree must be provided regarding the use and disclosure of protected health information. It establishes the necessary elements that must be included in these authorizations, and the extent of the information that may be used or disclosed.
II. ACCOUNTABILITY ACCOUNTABILITY
Under the direction of the President, the Dean, Senior Vice President for Academic Affairs, General Counsel, Chief Audit, Compliance & Privacy Officer, Vice President for Finance and Treasurer and the Vice President for Supply Chain Management shall ensure compliance with this policy.
This policy applies to health information, including demographic information collected from an individual, whether oral or recorded in any form or medium, only when it meets the following conditions:
It is created or received by any unit or department of RowanSOM acting in the capacity of a health care provider, health plan, employer or health care clearing house.
- It relates to a past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or payment for the provision of health care.
- It can identify the patient, or there is a reasonable basis to believe that it can be used to identify an individual. Health information is considered not individually identifiable under the following two conditions:
- Where the risk is very small that the information could be used to identify the individual. Risk is determined by using generally accepted and documented statistical and scientific principles and methods; and
- Where all identifying information is removed. See Attachment 1 for a list of 18 identifiers that must be removed regarding the individual, relatives, employer and other household members to de-identify health information.
- This policy does not apply to health information in education records covered under the Federal Education Right and Privacy Act (FERPA), 20 USC 1232g; and records under FERPA at 20 USC 1232g(a)(4)(B)(iv). See University policy, Family Educational Rights and Privacy Act, 00-01-25-05:00.
- Attachment 1, List of Identifiers and De-Identification Process
- Attachment 2, Disclosures of PHI No Authorization Required
- Attachment 3, Treatment, Payment and Health Care Operations
VIII. NON-COMPLIANCE AND SANCTIONS
Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules. Civil and criminal penalties may be applied accordingly. Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.
By Direction of the President: