University Policies

Page tree

Versions Compared

Old Version 21

changes.mady.by.user Raghu, Rachana

Saved on

compared with

New Version 22

changes.mady.by.user Raghu, Rachana

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

C. Workforce – Faculty, employees, students, volunteers, trainees, and other persons whose conduct,in  in the performance of work for RowanSOM and/or its units, is under the direct control of suchentitysuch entity(ies), whether or not they are paid by Rowan University SOM.

...

VI. POLICY

A. Requirements:

  1. RowanSOM and/or its units may only allow an individual or entity that is not part of its workforce that provides certain services to RowanSOM and/or its units, or performs a function or activity on its behalf, to create or receive PHI without an authorization if the individual or entity:
    1. meets the definition of a business associate as described above, and
    2. enter into a written business associate contract with RowanSOM that meets the elements in 45 CFR 164.504(e) with RowanSOM.
  2. To determine whether the person or entity is required to enter into a business associate contract, use the following guidelines with the attached flowchart (EXHIBIT AAttachment 1):
    1. No contract is needed with members of the workforce as defined in the definition. An independent contractor may be considered a member of the workforce if RowanSOM exercises supervision and control over the person as it would if the independent contractor was an employee.
    2. A contract is necessary with persons who meet the definition of a business associate. (Since business associates access PHI without obtaining authorizations from the individuals to whom the PHI pertain, it is important that units do not inappropriately classify a person as a business associate and therefore fail to obtain the required authorization).
      • A business associate is someone who does the following:
        • Performs or assists in the performance of a function or activity on behalf of RowanSOM and/or its units including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, re-pricing, and any other function regulated by 45 CFR 164.504.
          For examples see
      EXHIBIT B
        • attachment 2 for a list of specific types of persons, entities, and services that may qualify as a business associate provided that they meet all the elements discussed in this policy and procedure (i.e. the person will perform a function on behalf of RowanSOM that is not for the purposes of treatment only, etc).
        • Provides legal, auditing, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, paper recycling, shredder companies, transcription services, record copy services, offsite storage, information technology (IT) services where confidentiality, integrity or availability of ePHI is at risk, including software/hardware support of computing medical devices, and/or application services such email, web or database services or financial services for Rowan University.
      Researchers 
      • Researchers - This is not a covered function for purposes of a business associate contract.
      • Financial
      Transactions 
      • Transactions - No business associate agreement is required with a financial institution if it only processes consumer-conducted financial transactions in payment for health care.
        For example, a bank that processes credit or debit card transactions or clears checks for a hospital would not be considered a business associate. Although some PHI of the patient is disclosed to a financial institution in this example, such as the
      patient's
      • patient’s identity and perhaps some health information (e.g., the procedure performed), these facts do not create a business associate relationship because the bank is not acting on behalf of the hospital in performing
      its functions
      • its functions. The hospital is not in the business of directly processing credit card transactions or cashing checks.
    3. No contract is needed when the person or entity's entity’s function or service does not involve the use and disclosure of PHI, and where access to PHI by such persons would be de minimus or incidental, if at all.
      For example, it is not required that RowanSOM enter into a contract with janitorial services, waste disposal of sealed materials, or equipment repair because the performance of such services does not involve the use and disclosure of PHI. In this case, any incidental contacts or disclosures are permitted under the federal privacy laws as an incidental disclosure, provided that reasonable safeguards are in place to prevent such disclosures.
    4. No contract is needed with another healthcare provider when the use or disclosure of the PHI is for treatment purposes.
      • If the relationship between the healthcare providers also includes involvement of PHI for operational or payment purposes, then a contract is necessary.
        Examples: A hospital enlists the services of another healthcare provider to assist in the
      hospital's
      • hospital’s training of medical students. A physician, outside the workforce, serves as a medical director, or provides quality assurance or utilization management services through participation in hospital committees.
      • For the definition and examples of the term treatment, payment, operations see
      EXHIBIT C
      • attachment 3.
    5. If it is unclear as to whether the business associate definition has been met or if it is met, whether a contract is necessary, contact Legal Management for assistance. Generally, if it continues to be unclear as to whether there is a business associate relationship, no information should be shared with the person or entity without the patient's authorization.

B. Responsibilities:

  1. Documentation of Business Associate Agreement
    • RowanSOM and its units will document the satisfactory assurances of protecting health information through a written contract with the business associate that meets the applicable requirements of the Health Insurance and Portability Act (HIPAA), 45 CFR 164.504(e) and 164.308(b).
    • All RowanSOM units must assure that the individuals and entities identified above agree in writing to the provisions in the attached business associate contract prior to engaging their services or allowing them to encounter any PHI. See
    2. EXHIBIT D
    • attachment 4.
  3. Disclosure of Protected Health Information
    RowanSOM and its units may disclose protected health information (PHI) to a business associate and may allow a business associate to create or receive PHI on
    4. its behalf
  4. its behalf, if satisfactory assurances are obtained that the business associate
    5. will appropriately
  5. will appropriately safeguard the information. The CE and BA must maintain an accurate disclosure log, including who, what, when, where and why PHI was disclosed. The sale of PHI occurs when the CE or BA receive renumeration; directly or indirectly, from or on behalf of the recipient of PHI. The sale of PHI generally means disclosure of PHI. Additional individual authorization is required for disclosure of psychotherapy notes and marketing purposes.
  6. Responsibility of Individuals Authorized to Contract for Rowan University
    Any individual authorized to contract for RowanSOM, or who enters into any form of relationship on behalf of RowanSOM; in which PHI is exchanged or in which another entity has access to PHI other than a relationship with another treating provider relating to the treatment of patients, is responsible to obtain satisfactory assurances of protecting health information through the approved business associate contracting process and with the approved business associate contract. Failure to meet this responsibility is subject to disciplinary action up to and including termination and/or dismissal.
  7. RowanSOM and its units must require business associates to return or destroy all PHI in its possession at the termination of the contract when feasible and permitted by law.
  8. For purposes of internal monitoring of compliance with this policy and procedure, all RowanSOM units must maintain a log of all arrangements with parties outside of the workforce accessing business associate arrangements including:
    1. The name of the business associate.
    2. The type of services provided to RowanSOM, or the function or activity performed on behalf of RowanSOM.
    3. The date the business associate provisions were entered into.
    4. The date the performance or services begin.
    5. The type of protected health information that will be shared with the business associate.
    6. Whether any of the protected health information will be shared through electronic means.
  9. The above log must be made available to RowanSOM and the unit's privacy officers upon request.
  10. Business associates may only use and disclose PHI to the extent that RowanSOM would be allowed to use and disclose the information. See RowanSOM policy, Uses and Disclosures of Health Information With and Without an Authorization. Only the information minimally necessary to complete the purpose of the service or function may be shared.

VII. ATTACHMENTS

A. Attachment 1, Is a Person or Entity a "Business Associate" and Required to Enter Into a Written Business Associate Contract?

...

D. Attachment 4, Business Associates Agreement Involving the Access to Protected Health Information

E. Attachment 5,  HyperlinkHyperlink

 

By Direction of the President: 

 

Signature on file

                                                                                                       

RowanSOM Chief Compliance and Privacy Officer

 

 

 

By Direction of the President:

 

 

Signature on file

                                                                                                       

...


ATTACHMENT 1
Is a Person or Entity a "Business Associate" and 
Required to Enter Into a Written Business Associate Contract?

Image RemovedImage Added

 


ATTACHMENT 2 
Examples of Potential Business Associates 

(This is not an all-inclusive list, nor is every arrangement listed necessarily a business associate. Use the attached flowchart and policy and procedure to analyze whether the relationship is a business associate relationship under HIPPA. Contact Legal Management at 2-4705 for assistance in the analysis.)

 

Accountants

Accounting services and firms

Accreditation services

Actuarial services

Actuarial specialists

Adjudication services

Administrative services

Advertisers

Architects, builders, and contractors

Asset-based lenders to healthcare facilities

Attorneys

Auditors

Billing service companies

Bulk mailing services

Care management programs

Civic groups and other local groups help out on ad hoc basis with patients who are hospitalized for a traumatic event or complicated illness (e.g., Shrine Temples, Ronald McDonald House)

Coding providers and experts

Community health management information systems

Computer maintenance services and companies

Consulting services

Contract Research Organization – An entity used by pharmaceutical and device manufactures to monitor clinical research trials

Copy services

Data aggregation services

Device manufactures

Document storage and destruction vendors

Financial service companies

Government health data systems

Hardware vendors

Healthcare consultants (e.g., risk management, information technology, billing, coding and management)

Hospital associations (National and State)

HVAC vendors

Independent contractors

...

ATTACHMENT 2 (continued) 
Examples of Potential Business Associates

...

Treatment, Payment and Health Care Operations 

IA. "Treatment" - the provision, coordination, or management of health care and related services by one or more health care providers, including:

  1. the coordination or management of health care by a health care provider with a third party;
  2. consultation between health care providers relating to a patient; or
  3. the referral of a patient for health care from one health care provider to another. 

IIB. "Payment" - the activities undertaken to obtain payment for the provision of healthcare; and relates to the individual to whom health care is provided and includes, but is not limited to:

...

    1. Name and address;
    2. Date of Birth;
    3. Social Security Number;
    4. Payment history;
    5. Account number; and
    6. Name and address of the health care provider and/or health plan.

IIIC. "Health Care Operations" - any of the following activities:

...

    1. Resolution of internal grievances;
    2. Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.

...

ATTACHMENT 4

Business Associates Agreement Involving the Access to Protected Health Information 

...

Effective Date of Underlying Agreement:_________

School/Unit:  _______________________________

Vendor: ___________________________________

Business Associate Agreement
Involving the Access to Protected Health Information 

...

A. Business Associate agrees and acknowledges that there is a more than low probability that the PHI has been compromised and irreparable harm will result to Covered Entity, and to its business, in the event of breach by Business Associate of any covenants, duties, obligations and assurances in this BAA and further agrees that remedy at law for any such breach shall be inadequate and that damages resulting there from, are not susceptible to being measured in monetary terms. In the event of any such breach or threatened breach by Business Associate, Covered Entity shall be entitled to  immediately enjoin and restrain Business Associate from any continuing violations and (ii) reimbursement for reasonable attorneys' fees, costs and expenses incurred as a proximate result of the breach. The remedies in this Section V shall be in addition to any action for damages and/or other remedy available to Covered Entity for such breach. 

B. Business Associate shall indemnify and hold Covered Entity, its directors, officers, employees and agents harmless from any and all liabilities, damages, reasonable attorneys' fees, costs and expenses incurred by Covered Entity as a result of a breach of this BAA caused by Business Associate's actions or inactions and/or those of its employees and agents. 

C. Business Associate agrees and acknowledges that the provisions of this BAA shall be strictly construed.

...