University Policies

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Raghu, Rachana

Saved on

compared with

New Version 11

changes.mady.by.user Raghu, Rachana

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

ROWAN UNIVERSITY POLICY

Title:

...

 Fax Machine Transmittal of Confidential, Sensitive or Protected Health Information (PHI)
Subject:

...

 Office of Compliance & Corporate Integrity (OCCI)
Policy No:

...

 OCCI: 2013: P13
Applies:

...

 RowanSOM
Issuing Authority:

...

 Rowan President & RowanSOM Dean
Responsible Authority:

...

 RowanSOM Chief Compliance and Privacy Officer & RowanSOM Chief Information Officer
Adopted:

...

 01/03/2003
Reviewed:

...

 10/24

...

/2011
Amended:

...

 07/01/2013
Last Reviewed:

...

 01/06/2014

I.

...

PURPOSE

To ensure Rowan University's School of Osteopathic Medicine (RowanSOM) compliance with the Health Information Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 and Omnibus Privacy Final Rule of 2013 and the Standards for Privacy of Individually Identifiable Health Information and to safeguard confidential, sensitive and Protected Health Information (PHI) and other information protected by State or Federal regulations and RowanSOM policy that are transmitted by facsimile (fax).

II.

...

ACCOUNTABILITY

Under the direction of the President, the Dean, General Counsel, Chief Information Officer and Chief Compliance and Privacy Officer shall ensure compliance with this policy. The Dean, President and Vice Presidents shall implement this policy.

III.

...

APPLICABILITY

This policy shall apply to all confidential, sensitive or PHI protected from general access by State or Federal regulations and RowanSOM policy. Confidential and sensitive information includes patient, student, employee health, personnel records, financial data and communications pertaining to such. Health information that is generated during provisions of health care to patients in any of RowanSOM's patient care units, patient care centers or faculty practices, as well as Human Subjects research under the auspices of RowanSOM or by any of its agents in all RowanSOM schools, units, departments and RowanSOM owned or operated facilities.

IV.

...

DEFINITIONS

"Protected Health Information (PHI)" - Protected health information means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual, as defined by law. PHI of individual patient who have been deceased for more than 50 years, will not be protected 164.502(f).

  1. Except as provided in paragraph two (2) of this definition that is: a) transmitted by electronic media; b) maintained in electronic media; or c) transmitted or maintained in any other form or medium.
  2. Protected health information excludes individually identifiable health information in:
    1. Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; b) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and c) Employment records held by a covered entity in its role as employer.
    2. Sensitive Protected Health Information: Protected Health Information that pertains to (i) an individual's HIV status or treatment of an individual for an HIV-related illness or AIDS, (ii) an individual's substance abuse condition or the treatment of an individual for a substance abuse disorder or (iii) an individual's mental health condition or treatment of an individual for mental illness.
    3. Sensitive Electronic Information (SEI) - includes electronic information that is protected by state or federal regulations. As such, it includes Protected Health Information (PHI) as defined under HIPAA regulations, as well as information governed by Gramm-Leach-Bliley Act (GLB) and other applicable regulations.
    4. Secure location: a location that is not accessible to the general public.

V.

...

REFERENCES

A. 45 CFR, 160, Code of Federal Regulations, Title 45, Part 160, Subpart C, General Administrative Requirements, Compliance and Enforcement

...

 L. Protected Health Information Breach Notification Policy

VI.

...

POLICY

A. RowanSOM is committed to safeguarding PHI and other protected information in order to fulfill its mission to patients and to operate in a manner that is consistent with applicable Federal and State laws and regulations. Consequently, RowanSOM will exercise special care regarding the location and operation of fax machines. Fax and copier machines are not usually considered storage devices, but have large memory hard drives and can store PHI and must be properly protected and secured. Appropriate safeguards would include monitoring or restricting access to these devices and hard drives should be sterilized of PHI before they are "turned in" or sold. All CE and BA, including "downline" subcontractors should protect these devices as PHI.

...

    • Fax machines that receive faxes that include PHI will be located in Secure Areas. If an employee receives a fax containing PHI on a fax machine that is not in a Secure Area, the recipient of the fax will promptly advise the sender that the receiving fax machine should not be used for the transmission of such information.
    • Fax machines will be checked on a regular basis to minimize the amount of time incoming faxes that contain PHI are left on the machines. Employees who monitor the fax machines, or the employee who sees such a fax on the machine, will promptly remove incoming faxes and deliver them to the proper person.
    • If an employee receives a fax addressed to someone other than the employee and the person to whom the fax is addressed is someone at RowanSOM, the employee will promptly notify the individual to whom the fax was addressed and deliver or make arrangements to deliver the mis-directed fax as directed by the intended recipient.
    • If an employee receives a fax addressed to someone other than the employee and the person to whom the fax is addressed is NOT affiliated with RowanSOM, the employee will promptly notify the sender, and destroy or return the faxed material as directed by the sender.
    • Employees who routinely receive faxes containing PHI from other individuals or organizations (either internal or external sources) will promptly advise those regular senders of any changes to the employee's fax number.
    • Faxes with PHI should be placed in a secure/confidential place when they are delivered and not left in a location that is in full view of passers-by.

VI.    SANCTIONS FOR NON-COMPLIANCE

RowanSOM will apply appropriate sanctions against any member of the workforce who fails to comply with RowanSOM privacy policies and procedures. The Dean, and President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently. RowanSOM will document all sanctions that are applied.

VII.   RETALIATION/WAIVER

RowanSOM may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. RowanSOM may not require individuals to waive their privacy rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

VIII.  ATTACHMENTS

A. ATTACHMENT 1: CONFIDENTIAL FAX COVER SHEET

VII. ATTACHMENTS

A. Attachment 1, Sanctions for Non-Compliance

B. Attachment 2, Retaliation / Waiver

C. Attachment 3, Confidential Fax Cover Sheet

 



By Direction of the President:
Signature on File
__________________________________________
Rowan SOM Chief Compliance and Privacy Officer 
Signature on File
____________________By Direction of the President:
Signature on File
__________________________________________
Rowan SOM Chief Compliance and Privacy Officer 
Signature on File
_________________________________________
RowanSOM Chief Information Officer

...


RowanSOM Chief Information Officer

ATTACHMENT 1 

SANCTIONS FOR NON-COMPLIANCE

RowanSOM will apply appropriate sanctions against any member of the workforce who fails to comply with RowanSOM privacy policies and procedures. The Dean, and President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently. RowanSOM will document all sanctions that are applied.

ATTACHMENT 2

RETALIATION/WAIVER

RowanSOM may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. RowanSOM may not require individuals to waive their privacy rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

ATTACHMENT 3
CONFIDENTIAL FAX COVER SHEET

“Confidential Protected Health and Other Information Enclosed”

Protected Health Information is personal and sensitive information related to a person’s health care. The other protected information may include information protected by State or Federal regulations and University policy. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law.

...