1.Public Health Activities

RowanSOM may disclose Protected Health Information (PHI) for public health activities as follows:

1. To public health authority that is authorized by law:
   
   1. To collect or receive such information for the purpose of preventing or controlling disease, injury or disability;
   2. To receive reports of child abuse or neglect;
2. To persons subject to the jurisdiction of the Food and Drug Administration:
   
   1. To report adverse events, product defects or problems, or biological product deviations if the disclosure is made to the person required or directed to report such information to the FDA;
   2. To track products if the disclosure is made to a person required or directed by the FDA to track the product;
   3. To enable product recalls, repairs, or replacement; or
   4. To conduct post-marketing surveillance to comply with requirements or at the direction of the FDA.
3. To a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition where RowanSOM is authorized by law to notify the person as necessary in the conduct of public health intervention or investigation; or
4. To a RowanSOM Unit about an individual who is a member of the Unit's work force if:
   
   1. RowanSOM provides health care to the individual at the request of the Unit to conduct medical surveillance of the workplace or to evaluate individuals for work-related illness or injury;
   2. The PHI consists of findings concerning work-related illness or injury or workplace related medical surveillance;
   3. The Unit needs the findings to comply with its obligations under 29 CFR Part 1904-1928 (Occupational Safety and Health Administration regulations) or 30 CFR Parts 50-90 (Mine Safety and Health Administration) or under similar state law, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; or
   4. RowanSOM gives written notice to the individual that PHI relating to the medical surveillance of the workplace and workplace related illnesses and injuries is disclosed to the Unit by giving a copy of the notice to the individual when the health care is provided or if the healthcare is provided on the worksite of the employer, by posting the notice prominently where the health care is provided.

2.Victims of Abuse, Neglect, or Domestic Violence

In addition, RowanSOM may disclose PHI to a government authority about individuals reasonably believed to be victims of abuse, neglect, or domestic violence. Such disclosures involving adults are permitted if:

1. The disclosure is required by law and the disclosure is limited to the requirements of such law.
2. The individual agrees to the disclosure.
3. The disclosure is expressly authorized by statute or regulation, and
   
   1. RowanSOM believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
   2. If the individual cannot agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

RowanSOM must promptly inform the individual of such report unless the provider believes informing the individual would place the individual at risk of serious harm or the provider would be informing a personal representative that the covered entity believes is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interest of the individual.

3.Health oversight activities

RowanSOM may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for the appropriate oversight of

1. the health care system, 
2. government benefit programs for which health information is relevant to beneficiary eligibility, 
3. entities subject to government regulatory programs that need health information to determine compliance with program standards, or entities subject to civil rights law that need health information to determine compliance.

RowanSOM may not disclose PHI under this section if an investigation or other activity relates to an individual but does not arise out of and is not directly related to:

1. the receipt of health care; 
2. a claim for public benefits related to health; or 
3. qualifications for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.

4.Judicial and administrative proceedings

The RowanSOM Office of Legal Management will respond to all judicial and administrative proceedings. The Office of Legal Management will review the requests and either responds to the issuer of the request or advice about compliance with the request.

RowanSOM may disclose PHI to a law enforcement official if:

1. The law enforcement official is conducting or supervising a law enforcement inquiry or proceeding authorized by law and the disclosure is:
   1. A warrant, subpoena, or order issued by a judicial officer (that documents a finding by the judicial officer);
   2. A grand jury subpoena; or
   3. An administrative request, including an administrative subpoena or summons, a civil investigative demand, or similar process authorized under law, provided that:
      
      1. The information sought is relevant and material to a legitimate law enforcement inquiry;
      2. The request is as specific and narrowly drawn as is reasonably practicable; and
      3. De-identified information could not reasonably be used.
2. If the disclosure is for the purpose of identifying a suspect, fugitive, material witness, or missing person, RowanSOM may disclose only the following information: 
   
   1. Name
   2. Address
   3. Social security number
   4. Date of birth
   5. Place of birth
   6. Type of injury or other distinguishing characteristic
   7. Date and time of treatment. 
3. If the disclosure is of the PHI of an individual who is suspected to be a victim of a crime, abuse, or other harm, if the law enforcement official states that:
   1. such information is needed to determine whether a violation of law by a person other than the victim has occurred; and
   2. immediate law enforcement activity that depends upon obtaining such information may be necessary. 
4. For purposes of alerting law enforcement of the death of an individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.
5. To a law enforcement official if the covered entity believes in good faith that the PHI constitutes evidence that criminal conduct occurred on the premises of the covered entity.
6. Disclosure of PHI to a law enforcement official where: 
   1. a provider is providing health care in response to a medical emergency (other than on the premises of the provider) and
   2. such disclosure is necessary to alert law enforcement to the commission and nature of a crime, the location of the crime or its victims, and the identity, description, and location of the perpetrator (provided that victims of abuse, neglect or domestic violence will be treated in accordance with the provisions in Section 2 above). 

All requests for disclosure of PHI by a law enforcement official must be referred to Legal Management for review prior to disclosure.

The PHI of a deceased individual may be disclosed without the personal representative's permission for three specific reasons that would not apply to living persons:

1. For information needed by coroners, medical examiners and funeral directors.
2. For information needed to facilitate an organ donation.
3. To alert a law enforcement agency of the death if the covered entity has a suspicion that such death may have resulted from criminal conduct. If the agency is already investigating the death, other law enforcement powers to obtain PHI may apply. 

Otherwise, health records of deceased persons are protected as that of a living person and for up to 50 years after the pronouncement date.

1. RowanSOM may use or disclose PHI for research, regardless of the source of funding of the research, provided that RowanSOM has obtained a written waiver, in whole or in part, of authorization for use or disclosure of PHI that has been approved by the IRB, in whole or in part, and satisfying the following criteria:
   1. The use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: 
      1. an adequate plan to protect the identifiers from improper use and disclosure;
      2. an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
      3. adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use and disclosure of PHI would be permitted under federal and state law.
   2. The research could not practicably be conducted without the waiver;
   3. The research could not practicably be conducted without access to and use of the PHI. 
2. RowanSOM must obtain from the researcher representations that: 
   1. Use and disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research; 
   2. No PHI is to be removed from Rowan University SOM by the researcher in the course of the review; and 
   3. The PHI for which use or access is sought is necessary for research purposes. 
3. As to research on decedent's information, RowanSOM must obtain from the researcher:
   1. Representation that the use and disclosure is sought solely for research on the PHI of decedents;
   2. Documentation, at the request of RowanSOM, of the death of such individuals; and representation that the PHI for which use and disclosure is sought is necessary for research purposes.

1. In making such a disclosure, RowanSOM is presumed to have acted under a reasonable belief, if the disclosure is made in good faith based upon a credible representation by a person with apparent knowledge or authority (such as a doctor or law enforcement or other government official) (NJSA 2A:62A-16).