To establish a policy and procedure to ensure Rowan University’s School of Osteopathic Medicine (RowanSOM) compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Omnibus Privacy Final Rule of 2013 in providing an individual the right to receive an accounting of disclosures of his/her Protected Health Information (PHI), made by RowanSOM and/or its covered entities.
Under the direction of the President, the Senior VP for Medical Initiatives and Affiliated Campuses, Dean, the Chief Audit, Compliance & Privacy Officer, and Vice President for Research shall ensure compliance with this policy.
This policy shall apply to health information that is generated during provisions of health care to patients in any of the University’s patient care units, patient care centers or faculty practices as well as Human Subjects research under the auspices of the University or by any of its agents in all RowanSOM Schools, Units, Departments and University owned or operated facilities.
“Protected Health Information (PHI)” means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. If a patient has been deceased for more than fifty (50) years, the PHI is no longer considered protected. This is not a record retention requirement and covered entities may destroy medical records according to the State or other applicable laws. When individually identifiable health information is created, received, maintained or transmitted by a Business Associate and tied to a covered entity is considered PHI.
Except as provided in paragraph (b) of this definition that is:
transmitted by electronic media
maintained in electronic media
transmitted or maintained in any other form or medium
Protected health information excludes individually identifiable health information in:
Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g
Records described at 20 U.S.C. 1232g(a)(4)(B)(iv)
Employment records held by a covered entity in its role as employer
The following policies provide additional and related information:
A. Requirements:
B. Responsibilities:
Each RowanSOM unit will implement a process to provide an accounting to individuals of all disclosures except:
disclosures to carry out treatment, payment and healthcare operations
disclosures to the individual of PHI about themselves
disclosures for the facility’s directory or to persons involved in the individual’s care or other notification purposes
disclosures for national security or intelligence purposes
disclosures to correctional institutions or law enforcement officials, as provided
disclosures that occurred prior to April 14, 2003
disclosures pursuant to an authorization
disclosures incident to a use and disclosure otherwise permitted
disclosures that are part of a limited data set in accordance with 45 CFR 164.514(e)
An accounting must cover a period of six (6) years, unless the request specifies a shorter period.
Each RowanSOM unit will implement a process to provide an accounting to individuals of all disclosures. The accounting for each disclosure must include:
the date of the disclosure request
reason why entity needs PHI
name(s) of RowanSOM employee processed the request
log of whether or not the entity was eligible to receive PHI
if the PHI was transmitted to requesting entity
the name and address of the entity or person who received the PHI
accurate description of the PHI disclosed
when the PHI was sent to requesting entity
how the PHI was sent to requesting entity
a copy of a written request for disclosure (i.e. subpoena, etc).
confirmation of entity receiving requested PHI
If a RowanSOM unit has made multiple disclosures of PHI to the same person or entity for a single purpose, the accounting with respect to such multiple disclosures should provide:
the information required as described in section VI.A.3. for the first disclosure during the accounting period
the frequency or number of the disclosures made during the accounting period
the date of the last disclosure during the accounting period
All RowanSOM units must document and retain for six (6) years the following information:
the information required to be included in an accounting as discussed in section VI.B.3
the written accounting itself that was given to the requesting individual
the titles of persons or offices responsible for receiving and processing requests for an accounting
If, during the period covered by the accounting, a unit has made disclosures of PHI for a particular research purpose in accordance with CFR 164.512(i) for fifty (50) or more individuals, the accounting may, with respect to such disclosures for which the PHI about the individual may have been included, provide:
The name of the protocol or other research activity
A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting particular records
A brief description of the type of PHI that was disclosed
The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period
The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed
A statement that the PHI of the individual may or may not have been disclosed for a particular protocol or other research activity
If the unit provides an accounting for research disclosures in accordance with section VI.B.6. and it is reasonably likely that the PHI of the individual was disclosed for such research protocol or activity, the unit must, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.
By Direction of the President:
Signature on file
Chief Audit, Compliance and Privacy Officer