ROWAN UNIVERSITY POLICY


Title:
Access of Individuals to Protected Health Information (PHI)
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI:2013:C11
Applies: RowanSOM
Issuing Authority: President
Responsible Officer: Chief Audit, Compliance and Privacy Officer; Rowan Director of Information Security
Adopted: 07/01/2013
Last Revision: 01/26/2021
Last Reviewed: 01/26/2021

I.     PURPOSE

To establish a policy to ensure Rowan School of Osteopathic Medicine (RowanSOM) compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Omnibus Final Privacy Rule of 2013, in providing an individual the right of access to inspect and obtain a copy of Protected Health Information (PHI) about the individual in a designated record set.

II.   ACCOUNTABILITY

Under the direction of the President, the Dean, the Senior VP for Medical Initiatives and Affiliated Campuses, General Counsel, Chief Audit, Compliance & Privacy Officer, Vice President for Research shall ensure compliance with this policy.

III.  APPLICABILITY

This policy shall apply to health information that is generated during provisions of health care to patients in any of RowanSOM’s patient care units, patient care centers or faculty practices as well as Human Subjects research under the auspices of RowanSOM or by any of its agents in all RowanSOM departments and RowanSOM owned or operated facilities.

IV.  REFERENCES

  1. 45 CFR 164.524, Title 45, Code of Federal Regulations, Part 164, Section 524, Security and Privacy, Access of Individuals to Protected Health Information
  2. Privacy Act, 5 U.S.C. 552a
  3. Omnibus Final Privacy Rule of 2013,Section 164.524
  4. Standards for Privacy of Individually Identifiable Health Information
  5. Uses and Disclosures of Health Information with and Without Authorization.

V.   POLICY

RowanSOM and/or its covered entities must provide an individual with the right of access to inspect and obtain a copy of protected health information pertaining to the individual in a designated record set as long as the record is maintained by RowanSOM. RowanSOM requires individuals to make requests for access in writing.  A copy of the Request for Access to Protected Health Information form may be accessed at the Rowan Compliance website.

  1. Requirements:
    1. RowanSOM and/or its covered entities must provide access to inspect and obtain a copy of an individual’s PHI, except for:
      1. psychotherapy notes
      2. information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding
      3. PHI maintained by RowanSOM that is subject to Clinical Laboratory Improvements Act (CLIA) amendments of 1988 to the extent that CLIA would prohibit an individual’s access to the information in question.
    2. RowanSOM may deny an individual access without providing the individual an opportunity for review in the following circumstances:
      1. Unreviewable Grounds for Denial
        1. The PHI is the subject of one of the items in section V.A.
        2. The PHI was created or obtained by a covered health care provider in the course of research that includes treatment, provided that the individual had agreed to the denial of access at the time consent was given by the individual for participation in the research. In this instance, the right of access for PHI is temporarily suspended and will be reinstated upon the completion of the research.
        3. The PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
        4. The PHI that is contained in records, are subject to the Privacy Act, 5 U.S.C. 552a, if the denial of access under the Privacy Act would meet the requirements of that law.
    3. RowanSOM may deny an individual access providing the individual is given a right to have such denial reviewed by a licensed health care professional who is designated by RowanSOM to act as a reviewing official and who did not participate in the original decision to deny in the following circumstances:
      1. Reviewable Grounds for Denial
        1. A licensed health care professional has determined that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
        2. The PHI makes reference to another person and a licensed health care professional makes the determination that the access requested is reasonably likely to cause substantial harm to such other person.
        3. The request for access is made by the individual’s personal representative and a licensed health care professional makes the determination that the provision of access to the personal representative is reasonably likely to cause substantial harm to the individual or another person.
  2. Responsibilities:
    1. If the individual has requested a review of a denial, RowanSOM must promptly designate, and refer the request to a licensed health care professional, who was not directly involved in the denial, to review the decision to deny access. The designated reviewing official, within a reasonable period of time, must determine whether or not to deny the access requested based on the standards put forth in this policy. RowanSOM must promptly provide written notice to the individual of the determination of the designated reviewing official and take other actions as required to carry out the designated reviewing official’s determination.
    2. RowanSOM and/or its covered entities must act on requests to access PHI within thirty (30) days after receipt of request. If the request is for PHI not maintained or accessible to RowanSOM on-site, RowanSOM must take action by no later than sixty (60) days from the receipt of such a request. However, RowanSOM must provide a written statement of the reasons for the delay and the date by which RowanSOM will complete its action on the request. No other time extensions will be granted in excess of sixty (60) days.
    3. If RowanSOM and/or its covered entities grant the request to access the PHI, in whole or in part, RowanSOM must inform the individual of the acceptance of the request and provide the access requested by:
      1. Providing the access requested RowanSOM must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the PHI about them in designated record sets. If the same PHI that is the subject of a request for access is maintained in more than one designated record set or at more than one location, RowanSOM need only produce the PHI once in response to a request for access.
      2. Form of access requested
        1. Must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format; or in a readable hard copy form or such other form or format as agreed to by RowanSOM and the individual.
        2. May provide the individual with a summary of the PHI requested, instead of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided, if:
          • The individual agrees in advance to such a summary or explanation.
          • The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation.
      3. Time and manner of access
        1. RowanSOM must provide the access, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the PHI; or mailing the copy of the PHI at the individual’s request.
        2. RowanSOM may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access.
          1.  If the individual requests a copy of the PHI or agrees to a summary or explanation of information, RowanSOM may impose a reasonable cost-based fee, provided that the fee includes only the cost of:
            1. Copying the PHI, including the cost of supplies and labor.
            2. Postage when the individual requested the copy, summary or explanation to be mailed.
            3. Preparing an explanation or summary of the PHI.
        3. If RowanSOM and/or its covered entities deny the request to access the PHI, in whole or in part, RowanSOM must provide the individual with a timely written denial. The denial must be in plain language and contain:
          1. The basis for the denial
          2. A statement of the individual’s review rights, including a description of how the individual may exercise such review rights.
          3. A description of how the individual may complain to RowanSOM, or the Department of Health and Human Services (DHHS), pursuant to the compliant procedures. The description must include the name, or title, and telephone number of the contact person or office.
      4. If RowanSOM and/or its covered entities do not maintain the PHI that is the subject of the individual’s request for access, and RowanSOM knows where the requested information is maintained, RowanSOM must inform the individual where to direct the request for access.
      5. RowanSOM must document and retain the following information:
        1. The designated record sets that are subject to access by individuals.
        2. The titles of the persons or offices responsible for receiving and processing requests for access by individuals.
        3. All requests made for access to PHI must be made to the individual designated by the Dean and Chief Audit, Compliance & Privacy Officer.

VI.   NON-COMPLIANCE AND SANCTIONS

Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules.  Civil and criminal penalties may be applied accordingly.  Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.


Signature on file

__________________________________________
Chief Audit, Compliance & Privacy Officer



Signature on file

__________________________________________
Rowan Director of Information Security