ROWAN UNIVERSITY POLICY


Title: Fax Machine Transmittal of Confidential, Sensitive or Protected Health Information (PHI)
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI:2013:P13
Applies: RowanSOM
Issuing Authority: Rowan President & RowanSOM Dean
Responsible Officer: Chief Audit, Compliance and Privacy Officer; Chief Information Officer
Date Adopted: 07/01/2013
Last Revision: 03/25/2020
Last Reviewed: 03/25/2020

I.    PURPOSE

To ensure Rowan University’s School of Osteopathic Medicine (RowanSOM) compliance with the Health Information Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 and Omnibus Privacy Final Rule of 2013 and the Standards for Privacy of Individually Identifiable Health Information and to safeguard confidential, sensitive and Protected Health Information (PHI) and other information protected by State or Federal regulations and RowanSOM policy that are transmitted by facsimile (fax).

II.   ACCOUNTABILITY

Under the direction of the President, the Senior Vice President for Administration, General Counsel and the Chief Audit, Compliance & Privacy Officer shall ensure compliance with this policy. The Dean, President, Vice Presidents, shall implement this policy.

III.  APPLICABILITY

This policy shall apply to all confidential, sensitive or PHI protected from general access by State or Federal regulations and RowanSOM policy. Confidential and sensitive information includes patient, student, employee health, personnel records, financial data and communications pertaining to such. Health information that is generated during provisions of health care to patients in any of RowanSOM’s patient care units, patient care centers or faculty practices, as well as Human Subjects research under the auspices of RowanSOM or by any of its agents in all RowanSOM schools, units, departments and RowanSOM owned or operated facilities.

IV.  DEFINITIONS

  1. Protected Health Information (PHI)” - Protected health information means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual, as defined by law. PHI of individual patient who have been deceased for more than 50 years, will not be protected 164.502(f).
  2. Except as provided in paragraph two (2) of this definition that is: a) transmitted by electronic media; b) maintained in electronic media; or c) transmitted or maintained in any other form or medium.
  3. Protected health information excludes individually identifiable health information in:
    1. Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; b) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and c) Employment records held by a covered entity in its role as employer
    2. Sensitive Protected Health Information: Protected Health Information that pertains to (i) an individual's HIV status or treatment of an individual for an HIV-related illness or AIDS, (ii) an individual's substance abuse condition or the treatment of an individual for a substance abuse disorder or (iii) an individual's mental health condition or treatment of an individual for mental illness.
    3. Sensitive Electronic Information (SEI) - includes electronic information that is protected by state or federal regulations. As such, it includes Protected Health Information (PHI) as defined under HIPAA regulations, as well as information governed by Gramm-Leach-Bliley Act (GLB) and other applicable regulations.
    4. Secure location: a location that is not accessible to the general public.

V.   REFERENCES

  1. 45 CFR, 160, Code of Federal Regulations, Title 45, Part 160, Subpart C, General Administrative Requirements, Compliance and Enforcement
  2. 45 CFR, 164.514(e), Code of Federal Regulations, Title 45, Part 164, Subpart E, Security and Privacy, Privacy of Individually Identifiable Health Information
  3. 45 CFR, 164.530, Code of Federal Regulation, Security and Privacy, Administrative Requirements
  4. 45 CFR 164.524, Title 45, Code of Federal Regulations, Part 164, Section 524, Security and Privacy, Access of Individuals to Protected Health Information
  5. Privacy Act, 5 U.S.C. 552a
  6. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
  7. Omnibus Privacy Final Rule of 2013
  8. Standards for Privacy of Individually Identifiable Health Information Policy
  9. Access of Individuals to Protected Health Information Policy
  10. Uses and Disclosures of Health Information With and Without an Authorization Policy
  11. Accounting of Disclosures of Health Information Policy
  12. Protected Health Information Breach Notification Policy

VI.  POLICY

RowanSOM is committed to safeguarding PHI and other protected information in order to fulfill its mission to patients and to operate in a manner that is consistent with applicable Federal and State laws and regulations. Consequently, RowanSOM will exercise special care regarding the location and operation of fax machines. Fax and copier machines are not usually considered storage devices, but have large memory hard drives and can store PHI and must be properly protected and secured. Appropriate safeguards would include monitoring or restricting access to these devices and hard drives should be sterilized of PHI before they are “turned in” or sold. All CE and BA, including “downline” subcontractors should protect these devices as PHI.

Due care should be exercised when faxing PHI and other protected information. In addition, the faxing of sensitive protected health information, such as dealing with mental health, chemical dependency, sexually transmitted diseases, HIV or other highly personal information, should be avoided whenever possible.

Any incidents where incoming or outgoing faxes have compromised a patient’s right to privacy shall be immediately reported to the Chief Audit, Compliance & Privacy Officer for the Office of Compliance and Corporate Integrity.

  1. Requirements:
    1. Sending Faxes:

      1. Confidential FAX coversheets should be developed by departments utilizing the language in the sample Confidential Fax Cover Sheet and must include the following PHI statement:
        This message is intended for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is STRICTLY PROHIBITED. If you have received this message in error, please notify the sender immediately and arrange for the return or destruction of these documents.

      2. Employees will take reasonable steps to ensure that a fax transmission is sent to and received by the intended recipient. When the fax transmission includes PHI, "reasonable steps" include, but are not limited to, the following:
        1. Preprogrammed fax numbers must be periodically verified that they are still valid.
        2. When a fax number is entered manually (because it is not one of the pre-programmed numbers) the employee entering the number will visually check the recipient's fax number on the fax machine prior to starting the transmission.
        3. The name, business affiliation, telephone number and fax number of the intended recipient as well as the number of pages contained in the transmission will also appear on the cover sheet.
        4. Fax confirmation sheets will be checked immediately or as soon as possible after the fax has been transmitted, to confirm the material was faxed to the intended fax number. If the intended recipient notifies the sender that the fax was not received, the sender will use best efforts to determine whether the fax was inadvertently transmitted to another fax number by checking the fax confirmation sheet and/or the fax machine's internal logging system.
          1. If an employee becomes aware that a fax was sent to the wrong fax number, the employee will immediately attempt to contact the recipient by fax or telephone and request that the faxed documents, and any copies of them, be immediately returned to RowanSOM or destroyed. The employee's supervisor or the Chief Audit, Compliance & Privacy Officer will also be notified of the misdirected fax who will then perform an analysis of harm to the affected individual, as required by RowanSOM policy, Protected Health Information Breach Notification.
          2. Those recipients who regularly receive PHI via fax will be periodically reminded to notify RowanSOM of any change to the recipient's fax number.
          3. Fax confirmation sheets will be attached to and maintained with all faxed materials for six years.
          4. Faxing of Sensitive PHI (such as HIV/AIDS results or status or substance abuse and mental health treatment records) should be avoided whenever possible.
          5. When faxing PHI, employees will comply with all other RowanSOM privacy policies.
    2. Receiving Faxes:
      1. Employees who are intended recipients of faxes that contain PHI will take reasonable steps to minimize the possibility those faxes are viewed or received by someone else. These "reasonable steps" include, but are not limited to, the following:
        1. Fax machines that receive faxes that include PHI will be located in Secure Areas. If an employee receives a fax containing PHI on a fax machine that is not in a Secure Area, the recipient of the fax will promptly advise the sender that the receiving fax machine should not be used for the transmission of such information.
        2. Fax machines will be checked on a regular basis to minimize the amount of time incoming faxes that contain PHI are left on the machines. Employees who monitor the fax machines, or the employee who sees such a fax on the machine, will promptly remove incoming faxes and deliver them to the proper person.
        3. If an employee receives a fax addressed to someone other than the employee and the person to whom the fax is addressed is someone at RowanSOM, the employee will promptly notify the individual to whom the fax was addressed and deliver or make arrangements to deliver the misdirected fax as directed by the intended recipient.
        4. If an employee receives a fax addressed to someone other than the employee and the person to whom the fax is addressed is NOT affiliated with RowanSOM, the employee will promptly notify the sender, and destroy or return the faxed material as directed by the sender.
        5. Employees who routinely receive faxes containing PHI from other individuals or organizations (either internal or external sources) will promptly advise those regular senders of any changes to the employee's fax number.
        6. Faxes with PHI should be placed in a secure/confidential place when they are delivered and not left in a location that is in full view of passers-by.
  2. Responsibilites:
    1. Sanctions for Non-Compliance
      1. RowanSOM will apply appropriate sanctions against any member of the workforce who fails to comply with RowanSOM privacy policies and procedures. The Dean, and President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently. RowanSOM will document all sanctions that are applied.
    2. Retailiaion/Waiver
      1. RowanSOM may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. RowanSOM may not require individuals to waive their privacy rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

VII. ATTACHMENTS

 Attachment 1, Confidential Fax Cover Sheet


Under the Direction of the President:

Signature on File
__________________________________________
Chief Audit, Compliance and Privacy Officer 


Under Direction of the President:

Signature on File
_________________________________________
Chief Information Officer

ATTACHMENT 1
CONFIDENTIAL FAX COVER SHEET


“Confidential Protected Health and Other Information Enclosed”

Protected Health Information is personal and sensitive information related to a person’s health care. The other protected information may include information protected by State or Federal regulations and University policy. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law.

To:From:
Location:Fax Number:
Date Sent:Phone Number:
Time Sent:
Number of Pages (including cover):

                                                                                                                                          


Comments: 







"Confidential Protected Health and Other Information Enclosed"
Protected Health Information is personal and sensitive information related to a person's health care. The other protected information may include information protected by State or Federal regulations and University policy. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law. 

IMPORTANT WARNING: This message is intended for the use of the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is STRICTLY PROHIBITED. If you have received this message in error, please notify the sender immediately and arrange for the return or destruction of these documents.