ROWAN UNIVERSITY POLICY
Title: Requests for Amendment of Protected Health Information
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI: 2013: P05
Issuing Authority: RowanSOM Chief Compliance & Privacy Officer & RowanSOM Security Officer
Responsible Authority: RowanSOM Compliance & Privacy Officer & Rowan Security Officer
To establish guidelines for assuring that all Rowan University School of Medicine (SOM) units that create designated record sets containing Protected Health Information (PHI) have a process to respond to patient’s requests for amendments of their individual health information.
Under the direction of the President, Senior Vice President for Health Sciences, Dean, Associate Deans, Executive Director, Chief Compliance Officer, and Vice President for Research shall ensure compliance with this policy.
This policy shall apply to health information that is generated during provisions of health care to patients in any of the University’s patient care units, patient care centers or faculty practices as well as Human Subjects research under the auspices of the University or by any of its agents in all RowanSOM departments and University owned or operated facilities.
A. “Protected Health Information (PHI)” - Protected health information means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. The PHI of an individual, who has been deceased for more than 50 years, will not be protected [164.502(f)].
- Except as provided in paragraph two (2) of this definition that is: a) transmitted by electronic media; b) maintained in electronic media; or c) transmitted or maintained in any other form or medium
- Protected health information excludes individually identifiable health information in: a) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; b) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and c) Employment records held by a covered entity in its role as employer.
B. Designated record set- Medical or billing records about individuals maintained by or for a healthcare provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or records used in whole or in part by or for the provider to make decisions about individuals
A. 45 CFR 164.526, Code of Federal Regulations Title 45, Section 164, Part 526, Security and Privacy, Amendment of Protected Health Information [i]
B. Uses and Disclosures of Health Information With and Without an Authorization [ii]
C. Standards for Privacy of Individually Identifiable Health Information Policy [iii]
D. Access of Individuals to Protected Health Information Policy [iv]
A. All RowanSOM units must maintain a process to enable its patients to request an amendment of their individual health information held by the unit. Such requests must be made in writing and include a reason supporting the amendment.
B. An individual has the right to request a healthcare unit to amend his or her health information. Units should require individuals to make such requests in writing and to provide a reason to support the amendment. Rowan University's SOM Notice of Privacy Practices informs individuals in advance of such requirements. An example of a Request for Amendment or Correction of Individual Health Information Form Request for Amendment or Correction of Individual Health Information Form [v] can be accessed on the Rowan.edu website.
- The unit may deny the request if the health information that is the subject of the request meets the following conditions:
- It was not created by the unit, unless the originator is no longer available to act on the request.
- It is not part of the individual's designated health record.
- It would not be accessible to the individual for the reasons under University policy, Access of Individuals to Protected Health Information.
- It is accurate and complete.
- The unit must act on the individual's request for amendment no later than thirty (30) days after receipt of the request for an amendment. The unit may have a one - time extension of up to thirty (30) days for an amendment request provided the unit gives the individual a written statement of the reason for the delay, and the date by which the amendment will be processed.
- If the request is granted, the unit must:
- Insert the amendment or provide a link to the amendment at the site of the information that is the subject of the request for amendment.
- Inform the individual that the amendment is accepted.
- Obtain the individual's identification of; and agreement to have the unit notify the relevant persons with whom the amendment needs to be shared.
- Within a reasonable time frame, make reasonable efforts to provide the amendment to persons identified by the individual, and persons, including business associates, that the unit knows have the PHI that is the subject of the amendment and that may have relied on or could foreseeably rely on the information to the detriment of the individual.
- If the unit denies the requested amendment, it must provide the individual with a timely, written denial in plain language that contains:
- The basis for the denial.
- The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement.
- A statement that if the individual does not submit a statement of disagreement, the individual may request that the unit, provide the individual's request for amendment and the denial with any future disclosures of PHI.
- A description of how the individual may complain to the unit or to the Secretary of the Department of Health and Human Services (DHHS).
- The name or title, and telephone number of the designated contact person who handles complaints for the unit.
- The unit must permit the individual to submit to the unit a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The unit may reasonably limit the length of a statement of disagreement.
- The unit may prepare a written rebuttal to the individual's statement of disagreement. Whenever such a rebuttal is prepared, the unit must provide a copy to the individual who submitted the statement of disagreement.
- The unit must, as appropriate, identify the record of PHI that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the unit's denial of the request, the individual's statement of disagreement, if any, and the unit's rebuttal, if any.
- If a statement of disagreement has been submitted by the individual, the unit must include the material appended or an accurate summary of such information with any subsequent disclosure of the PHI to which the disagreement relates.
- If the individual has not submitted a written statement of disagreement, the unit must include the individual's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of PHI only if the individual has requested such action.
- When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included, the unit may separately transmit the material required.
- A unit that is informed by another unit of an amendment to an individual's PHI must amend the PHI in written or electronic form.
- A unit must document the titles for the persons or offices responsible for receiving and processing requests for amendments.
A. Attachment 1, Hyperlinks
By Direction of the President:
Signature on file
RowanSOM Chief Compliance and Privacy Officer
By Direction of the President:
Signature on file
Rowan Security Officer
[i] 45 CFR 164.526, Code of Federal Regulations Title 45, Section 164, Part 526, Security and Privacy, Amendment of Protected Health Information.
[ii] Uses and Disclosures of Health Information With and Without an Authorization
[iii] Standards for Privacy of Individually Identifiable Health Information Policy
[iv] Access of Individuals to Protected Health Information Policy