University Policies

Page tree

Versions Compared

Old Version 20

changes.mady.by.user Raghu, Rachana

Saved on

compared with

New Version 21

changes.mady.by.user Raghu, Rachana

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ROWAN UNIVERSITY POLICY

Title:

...

Disclosures of Personally Identifiable Health Information to Business Associates

Subject:

...

Office of Compliance & Corporate Integrity (OCCI)

Policy No:

...

OCCI: 2013: P08

Applies:

...

RowanSOM

Issuing Authority:

...

RowanSOM Chief Compliance & Privacy Officer & RowanSOM

...

Security Officer

Responsible Authority:

...

RowanSOM Chief Compliance

...

& Privacy Officer &

...

RowanSOM Security Officer

Adopted:

...

4/14/2003.

Amended:

...

7/01/2013.

...

I. PURPOSE

To assure compliance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) of 2004, Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Omnibus Privacy Final Rule of 2013 in relation to disclosures of Protected Health Information (PHI) and to entering into contracts with business associates.

...

Under the direction of the President, the Deans, Executive Senior Vice President for Administration and Strategic Planning, Executive Vice President for Academic and Clinical Affairs, Chief Compliance and & Privacy Officer, Vice President for Finance and CFO Treasurer, Senior Vice President and General Counsel shall ensure compliance with this policy.

...

This policy shall apply to disclosures to business associates of health information that is generated during provisions of health care to patients in any of the RowanSOM's RowanSOM’s patient care units, patient care centers of faculty practices as well as Human Subjects research under the auspices of RowanSOM or by any of its agents in all RowanSOM , Units, Departments and University owned or operated facilities.

IV. DEFINITIONS

A. "Protected Health Information (PHI)" - Protected health information means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. PHI of a decedent, who has been deceased for more than 50 years, is no longer considered protected PHI [160.103 and 164.502(f)].

  1. Except as provided in paragraph two (2) of this definition that is: a) transmitted by electronic by electronic media; b) maintained in electronic media; or c) transmitted or maintained in any in any other form or medium.
  2. Protected health information excludes individually identifiable health information in: a) Education  Education records covered by the Family Educational Rights and Privacy Act, as amendedas amended, 20 U.S.C. 1232g; b) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and c) Employment  Employment records held by a covered entity in its role as employer.

B. "Business Associates (BA)" – Entity that "creates“creates, receives, maintains, or transmits" transmits” PHI on behalf of behalf of the CE [Patient Safety and Quality Improvement Act (PSQIA) of 2005, 42 U.S.C. 299b-22, et seqet seq.]. The BA now has direct liability for compliance with this rule (164.500), including implementing including implementing and operating Minimum Necessary [164.502(b)]. A Subcontractor is a person, who the who the BA has delegated a function, activity or services that the BA has agreed to perform on behalf of behalf of the CE (160.103). Subcontractors must also comply with the privacy and security rules under the under the BA Agreement [164.504(e)(4)(ii)(B)]. The CE and BA are obligated to assess, administer and monitor and monitor of the organizations "downstream" “downstream” from the CE that manage PHI. The BA is required to enter to enter into a BA Agreement (BAA) with the subcontractor, not the CE and subcontractor. person other person other than in the capacity of a member of the workforce that on behalf of RowanSOM, its units, or  or any organized health care arrangement in which it participates, performs or assists in the performance the performance of:

  1. a function or activity involving the use or disclosure of individually identifiable health informationhealth information, including claims processing or administration, data analysis, processing or administrationor administration, utilization review, quality assurance, billing, benefit management, practice  practice management and re-pricing; or
  2. any other function or activity regulated by HIPAA regulations; or
  3. provides legal, actuarial, accounting, auditing, consulting, data aggregation (as defined in CFR in CFR § 164.501), management, administrative, accreditation, or financial services to or for or for RowanSOM University and/or its units, or to or for an organized health care arrangement care arrangement in which RowanSOM and or its units participate, where the provision of the service the service involves the disclosure of individually identifiable health information from such entities such entities or arrangement, or from another business associate of such entities or arrangementor arrangement, to the person.
  • Includes; Patient Safety Organizations (PSO) which receives patient safety
    • from providers
  • from providers and analyses for purposes of compliance with PSQIA and the
    • Patient Safety
  • Patient Safety Rule, 42 CFR 3.10, et seq. Section 13408 includes Health
    • Information Organization
  • Information Organization (HIO), E-prescribing gateway or Regional Health
    • Information Organization
  • Information Organization which on a
    • "routine basis"
  • “routine basis”, maintains, oversees and governs
    • the exchange
  • the exchange of health related information between organizations, as BA.

C. "Workforce" – Faculty, employees, students, volunteers, trainees, and other persons whose conduct,

in the performance of work for RowanSOM and/or its units, is under the direct control of such

entity(ies), whether or not they are paid by Rowan University SOM.

D. "HITECT ACT" - Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009.

...

E. 45 CFR 164.532 (d) and (e), Code of Federal Regulations, Title 45, Part 164, Section 532, Subpart E, Security and Privacy, Uses and disclosures: Organizational requirements, Privacy of Individually Identifiable Health Information and (d) Standard: Effect of Prior Contracts or Other Arrangements with Business Associates

F.   Section 13404 and 13410(d) of the HITECH Act Act - Breach Notification Interim Final Regulation (74 FR 42740) - August 2009.

G. Uses and Disclosures of Health Information With and Without an Authorization

H. Omnibus Privacy Final Rule 2013

 II.  Standards Standards for Privacy of Individually Identifiable Health Information

...

Independent service organizations (ISO) offering clinical/biomedical engineering services

Insurance brokers

Interpreter services (both deaf and foreign language)

Janitorial services; waste disposal and recycling services and companies

Law firms, its staff and employees

Lobbyists

Mailing houses

Maintenance contractors

Management services

Marketing services or firms

Medical equipment testing/ repair services

Medical or Physician associations (National and State)

Medical record moving companies

Medical record storage companies

Medical record transcription services

Medical software vendors

Microfilm conversion providers

Organ and Tissue Banks

Organ procurement organization

Outsourced document shredders

Patient advocates

Pharmaceutical companies

Pharmaceutical manufacturers

Pharmaceutical representatives

Plasma Donor Centers

Printing companies (ID cards and other member materials)

Private health data systems

Professional liability insurance carriers

Recycling services and companies

Software vendors

Sperm Banks

Temporary Staffing Companies

Third-party administrators

Trade associations

Utilization management vendors

Value added networks

Vendors to business associates if involving the disclosure of independently identifiable health information

Waste disposal services and companies

 

 

ATTACHMENT 3

Treatment, Payment and Health Care Operations 

...

Anchor
1
1

[1]   An expanded definition of the following terms, as well as the definition of other relevant terms are availableon RowanSOM website at https://www.rowan.edu/compliance. Terms used in this Business Associate Agreement but not otherwise defined shall have the meaning ascribed to those terms in HIPAA, the HITECH Act, and any current and future regulations promulgated under HIPAA and/or the HITECH Act.   See 45 C.F.R. 160.103, 164.402 and 164.501.