ROWAN UNIVERSITY POLICY


Title: Uses and Disclosures of Protected Health Information: With and Without Authorization
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI: 2013:P04
Applies: RowanSOM
Issuing Authority: President
Responsible Officer: Chief Audit, Compliance & Privacy Officer; Director of Information Security
Adopted: 07/01/2013
Last Revision: 01/26/2021
Last Reviewed: 01/26/2021


I.     PURPOSE

To establish the requirement for Rowan University School of Osteopathic Medicine (RowanSOM) uses and disclosures of individually identifiable protected health information (PHI) to be in conformance with state and federal regulations. This policy clarifies when an authorization is or is not required and/or clarifies when an opportunity to agree or disagree must be provided regarding the use and disclosure of protected health information. It establishes the necessary elements that must be included in these authorizations, and the extent of the information that may be used or disclosed.

II.   ACCOUNTABILITY

Under the direction of the President, the Dean, Senior Vice President for Academic Affairs, General Counsel, Chief Audit, Compliance & Privacy Officer, Vice President for Finance and Treasurer and the Vice President for Supply Chain Management shall ensure compliance with this policy.

III.  APPLICABILITY

  1. This policy applies to health information, including demographic information collected from an individual, whether oral or recorded in any form or medium, only when it meets the following conditions:

    1. It is created or received by any unit or department of RowanSOM acting in the capacity of a health care provider, health plan, employer or health care clearing house.

    2. It relates to a past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or payment for the provision of health care.
    3. It can identify the patient, or there is a reasonable basis to believe that it can be used to identify an individual. Health information is considered not individually identifiable under the following two conditions:
      1. Where the risk is very small that the information could be used to identify the individual. Risk is determined by using generally accepted and documented statistical and scientific principles and methods; and
      2. Where all identifying information is removed. See Attachment 1 for a list of 18 identifiers that must be removed regarding the individual, relatives, employer and other household members to de-identify health information.
  2. This policy does not apply to health information in education records covered under the Federal Education Right and Privacy Act (FERPA), 20 USC 1232g; and records under FERPA at 20 USC 1232g(a)(4)(B)(iv). See University policy, Family Educational Rights and Privacy Act, 00-01-25-05:00.

IV. REFERENCES

  1. 45 CFR 164.508 Code of Federal Regulations, Title 45, Part 164, Section 508, Security and Privacy, Uses and disclosures for which an authorization is required.
  2. 45 CFR 164.510 Code of Federal Regulations, Title 45, Part 164, Section 510, Security and Privacy, Uses and disclosures requiring an opportunity for the individual to agree or object is not required.
  3. 45 CFR 164.512 Code of Federal Regulations, Title 45, Part 164, Section 512, Security and Privacy, Uses and disclosures for which consent, authorization or opportunity to agree or object is not required.
  4. Federal Education Right and Privacy Act (FERPA), 20 USC 1232g and 20USC1232g (a) (4) (B) (IV).
  5. Family Educational Rights and Privacy Act
  6. Common Rule and FDA’s Human Subject Protection Regulations

V. POLICY

  1.  RowanSOM and all its units shall appropriately protect the privacy of PHI that can identify an individual in compliance with federal and state law.   
  2.  RowanSOM will not use or disclose PHI without a valid authorization by the individual unless it is permitted under the following circumstances and is in accordance with state and federal law and this policy:
    1. When requested by the Secretary of the United States Department of Health and Human Services (DHH) to investigate or determine compliance with the privacy standard;
    2. When the disclosure is to the individual to whom the PHI pertains, or a legal personal representative, including requests for accounting or access to inspect or copy;
    3. To carry out treatment, payment or healthcare operations (TPO);
    4. Where an opportunity to agree or to object has been afforded to the individual and the individual does not object to the use and disclosure of PHI in the following circumstances:
      1. To include the individual in facility directories,
      2. To family and friends involved with the individual’s care or payment related to the individual’s healthcare, or
      3. To disaster relief agencies to coordinate the notification of family and friends regarding the individual’s location, condition, or death;
    5. Under the following circumstances when the use or disclosure meets the conditions and requirements detailed in Attachment 2 and in accordance with federal and any stricter state law:
      1. For public health activities as discussed under 45 CFR 164.512(b);
      2. To governmental authorities about victims of abuse, neglect and domestic violence under the conditions discussed in 45 CFR 164.512(c);
      3. To health oversight agencies for oversight activities authorized by law;
      4. For judicial and administrative proceedings under the conditions discussed in 45 CFR 164.512(e);
      5. To law enforcement officials for certain law enforcement purposes under the conditions discussed in 45 CFR 164.512(f);
      6. To coroners and medical examiners for the purpose of identifying a deceased person or cause of death, or other duties authorized by law; and to funeral directors to carry out their duties;
      7. For cadaveric organ, eye or tissue donation;
      8. For research purposes when the Institutional Review Board approved an alteration to or waiver of the individual authorization requirement in compliance with 45 CFR 164.512(i) and appropriate representations and documentation regarding the use and disclosure is obtained from the researcher in accordance with 45 CFR 164.512(i);
      9. To avert a serious threat to health or safety of a person or the public;
      10. For specialized government functions including military and veterans activities; for protective services to the President of the USA; for national security activities; and to a correctional institution or law enforcement official about a lawfully detained individual under certain conditions;
      11. To the extent that the use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law;
      12. To report health care fraud;
      13. To other health care entities for their treatment, payment and operational purposes (see Attachment 3).
    6. When the information has been de-identified and there is no actual knowledge by RowanSOM that any of the remaining information could identify the individual. See Attachment 1 for the 18 pieces of information that must be removed to qualify as de-identified information.
  3. RowanSOM will comply with stricter state and federal law that affords greater protection to privacy rights as they relate to the privacy of individuals including but not limited to treatment for drug and alcohol use, HIV/AIDS, and mental health.
  4. For psychotherapy notes, a valid authorization must be obtained for any use and disclosure except under the following circumstances.
    1. For TPO of or by RowanSOM, only the following uses and disclosures are authorized:
      1. By the originator of the psychotherapy notes for treatment, but may not disclose it to anyone else;
      2. By the unit in training programs in which students, trainees, or practitioners in mental health learn or improve counseling skills; or
      3. By the unit to defend a legal action or other proceeding brought by the individual.
    2. To the extent that it is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
    3. To health oversight agencies with respect to the oversight of the originator of the psychotherapy notes only;
    4. To coroners, medical examiners for the purpose of identifying a deceased person or cause of death, or other duties authorized by law; and to funeral directors to carry out their duties.
    5. To prevent or lessen a serious and imminent threat to the safety of a person or the public, unless information obtained in treatment initiated by the individual 45 CFR164.512 (i).
  5. Uses and Disclosures for Treatment, Payment and Health Care Operations (TPO)
    1. RowanSOM workforce may use and disclose PHI necessary for treating patients, obtaining payment for items and services, and conducting administrative and operational tasks as necessary to provide health care services as defined in Attachment 2.
    2. Members outside of the workforce (business associates) that provide certain functions, activities, or services for or to RowanSOM involving uses and disclosures of PHI in order to help RowanSOM carry out its health care functions, other than for treatment purposes, must enter into Business Associate Contracts with RowanSOM prior to their access to such information. The Vice President for Supply Chain Management shall be responsible for communicating and enforcing this section to vendors, independent contractors, business associates, etc.
    3. Patients may request restrictions on the uses or disclosures of health information for TPO. RowanSOM need not agree to the restriction requested, but will be bound by any restriction to which it agrees, only after the individual patient pays in full, prior to the initiation of the service(s)[164.522]. Any agreement to restrict must be appropriately documented on the Request for Restriction Form which can be accessed at the following website: https://www.rowan.edu/compliance
      and kept in the medical record, such restrictions must be clearly indicated on the face of the chart or somewhere obvious to anyone accessing the chart.
    4. The following types of operational activities may require a valid authorization:
      1. Marketing activities require an authorization prior to RowanSOM use and disclosure.
        1. Marketing includes any communication where the effect of the communication is to encourage recipients to purchase or use the product or service.
        2. Marketing does not constitute communications in the course of managing the treatment of the individual for purposes of "case management" and "care coordination."
        3. Authorizations for marketing along with the core elements discussed below must include the statement that the marketing is expected to result in direct or indirect remuneration to RowanSOM from the third party, if true.
        4. Exception: Face to face communications made by RowanSOM to the individual does not require an authorization.
      2. Fundraising activities: Only the following PHI may be disclosed without authorization to an institutionally related foundation for the purposes of raising funds for RowanSOM’s own benefit (if the foundation is run by non-RowanSOM entity, a business approved limited data set agreement must be in place):
        1. Demographic information relating to an individual; and
        2. Dates of health care provided to an individual.
      3. RowanSOM must include in any fundraising materials a description of how the individual may opt out of receiving future communications; and RowanSOM must make sure those individuals who opt out do not receive any future communications.
      4. Research activities require a written authorization unless there is written documentation that the IRB either waived or altered the requirement. See Attachment 2 under "Research" for requirements and specifications under which an authorization would not be required.
  6. Opportunity to Agree or Object
    1. In the following three (3) circumstances, PHI may be disclosed without an authorization as long as the patient is given an opportunity to agree or object. Units must establish a process to document that opportunity was afforded and if the individual objected.
      1. Facility Directories
        1. During registration process in units that utilize facility directories, all patients must be told that the information about them will be placed in the facility directory to provide information to friends, family, clergy and the press if requested and that they may object or request restrictions.
        2. The information that may be included in the directory is as follows:
          1. the patient’s name;
          2. the patient’s location;
          3. the patient’s condition, as undetermined, good, fair, serious or critical; and
          4. the patient’s religious affiliation.
      2. Specific medical information about the individual may not be included.
      3. Patients may agree or object orally or in writing. Each unit however should document the notification and response on a log sheet or in some other manner so as to be able to ascertain the patient’s previous preference in a future visit where an opportunity to object may not practicably be provided.
      4. In emergency situations involving patient incapacity, where the opportunity to object cannot practicably be provided, the patient’s most recent preference, if known, will be honored upon a determination by the attending physician or house supervisor that the disclosure is in the best interest of the patient.
      5. No directory information will be disclosed unless asked by name, except to members of the clergy.
    2. To Persons involved in a Patient’s Care or Payment
      1. PHI may be disclosed to a family member, a personal representative of the individual or another person when:
        1. That information is relevant to such person’s involvement with the individual’s care or payment related to such care, or
        2. To notify (or assist in the notification of) such persons of the individual’s location, general condition or death, and
        3. When section V.F.2.b. and section V.F.2.c. are complied with.
      2. If the individual is present and has the capacity to make healthcare decisions, the unit may use or disclose the PHI only if it:
        1. Obtains the individual’s agreement;
        2. Provides the individual the opportunity to object and the individual does not object; or
        3. Can be reasonably inferred from the circumstances, using professional judgment that the individual does not object to the disclosure.
      3. If the individual is not present, due to an incapacity or emergency circumstance, the unit may disclose only if:
        1. The PHI is directly relevant to the person’s involvement with the individual’s health care, and it is in the individual’s best interest.
        2. Units may use professional judgment and experience with common practice to make reasonable inferences regarding the individual’s best interest in allowing a person to act on behalf of the individual to “pick up filled prescriptions, medical supplies, X-rays, or other similar forms of PHI.”
    3. Disaster Relief Efforts
      1. PHI may be used or disclosed to a public or private entity authorized by law or by its charter to assist in disaster relief efforts. The above rules for use and disclosure of PHI for involvement in an individual’s care and notification (depending upon whether the individual is present or not) apply as long as they do not interfere with the public or private entity’s ability to respond to a disaster relief situation.
  7. Authorizations
    1. Units may use and disclose PHI when a valid authorization is obtained.
    2. For requests for authorization initiated by RowanSOM, all units must use RowanSOM's standardized authorization form, Authorization for Release of Information, which can be accessed at the following website: http://www.rowan.edu/compliance.
    3. All sections must be complete. Changes or variations to the authorization forms must be approved by the Chief Audit, Compliance & Privacy Officer in the Office of Compliance & Corporate Integrity. Treatment may not be conditioned on obtaining the authorization (unless related to approve research clinical trial).
    4. If the authorization was received from the individual or third party, determine the validity of the authorization. The following elements must be present:
      1. A description of the specific information to be used or disclosed.
      2. Name of the specific person or entity authorized to disclose the information.
      3. Name of the specific person or entity to whom RowanSOM may make the requested use or disclosure and, if information is to be mailed, the address of the person or entity.
      4. The date, event or condition upon which the authorization will expire.
      5. The individual’s signature and date.
      6. A description of the personal legal representative's authority to sign, if applicable.
      7. A description of the purpose of the disclosure. (Not required if the individual requests disclosure for own use).
      8. A statement in which the individual acknowledges that he or she has the right to revoke the authorization, instructions on how to exercise such right or to the extent the information is included in the covered entity's notice, a reference to the notice.
      9. A statement that treatment may not be conditioned on obtaining the authorization, unless it is research related and disclosure of the information is for the particular research study. For purposes of research, where treatment may be conditioned on obtaining the authorization, a statement about the consequences of refusing to sign the authorization.
      10. A statement in which the individual acknowledges that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by federal privacy law.
      11. If the authorization is for marketing purposes and the marketing is expected to result in direct or indirect remuneration to RowanSOM from a third party, a statement of this fact.
      12. If the disclosure requested involves mental health information, the authorization must also include the following:
        1. The specific purposes for which the information may be used, both at the time of disclosure and any time in the future; and
        2. That the patient is aware of the statutory privilege accorded to confidential communications between a patient and a licensed psychologist and psychiatrist.
    5. Defective Authorizations
      1. An “authorization” is not considered valid if it has any of the following defects:
        1. The expiration date has passed.
        2. The form has not been filled out completely.
        3. The authorization is known by RowanSOM to have been revoked.
        4. The form lacks any required element.
        5. The information on the form is known by RowanSOM to be false.
        6. Treatment was conditioned upon obtaining the authorization (except for research purposes).
    6. Legal Representatives
      1. If the authorization is signed by a legal representative or other person authorized to act for the individual, the request must be accompanied by documentation of the representative’s legal authority to act on behalf of the individual.
    7. Revocation of Authorization.
      1. A patient who has executed an authorization for disclosure or use of individual health information may revoke the authorization at any time by sending a written notice to Rowan University as described in RowanSOM’s Notice of Privacy Practices.
        1. The written notice must refer to the specific authorization being revoked (e.g., “my authorization of January 27, 2002”) and be signed and dated by the individual or his or her legal representative.
        2. The revocation becomes effective upon receipt by RowanSOM, with the exception of uses or disclosures made by RowanSOM prior to receipt.
    8. For Research-Related Health Information
      1. The core elements of an authorization as described below may be combined with the informed consent to participate in the research.
      2. Rowan University may condition the provision of research related treatment (related to the clinical trial) on obtaining authorization.
      3. RowanSOM may use and disclose for a specific research study, PHI that is created or received before and after HIPAA's compliance date (April 14, 2003), and/or prior to the new authorizations being implemented, as long as some other express legal permission to use and disclose the information for the research study was obtained.
      4. Archived information may continue to be used and disclosed for the research study if an individual had originally signed an informed consent to participate in the research study, or IRB waived informed consent, in accordance with the Common Rule or FDA's human subject protection regulations.
      5. An accounting of all disclosures made under an authorization must be documented and maintained. See University policy, Accounting of Disclosures of Health Information.
  8. Extent of the Information That May be Used and Disclosed.
    1. For disclosures made under a valid authorization, disclose the information to the extent specified in the authorization.
    2. Absent an authorization, each unit must make reasonable effort to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary rule does not apply to the following circumstances:
      1. Disclosures to or requests by a health care provider for treatment purposes.
      2. Disclosures to the individual or personal legal representative, who is the subject of the information.
      3. Uses and disclosures made pursuant to an authorization.
      4. Uses or disclosures required for compliance with the standardized HIPAA electronic transactions.
      5. Disclosures to the Department of Health and Human Services when disclosure of information is required under HIPAA for enforcement purposes.
      6. Uses and disclosures that are required by law.
    3. Each unit must make an assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of the unit's business practices and workforce, and to implement policies and procedures accordingly. Policies and procedures should address the following:
      1. Internal use by the unit’s workforce for uses other than for treatment purposes. Identify the persons or classes of persons within the workforce who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access.
      2. Routine and recurring disclosures to third parties. Limit the PHI to the minimum amount reasonably necessary to achieve the purpose of the disclosure.
      3. Non-routine disclosures to third parties. Criteria must be developed that limit the disclosure of PHI to the minimum information reasonably necessary to accomplish the purpose for which disclosure is sought. Requests for disclosures must be reviewed on a case-by-case basis in accordance with such criteria. Units may rely (if such reliance is reasonable) on a requested disclosure being the minimum necessary for the stated purpose when:
        1. The covered entity is making disclosures to a public official where no authorization or consent is required, and the public official represents that the information requested is the minimum necessary;
        2. The information is requested by another health care provider, health plan or health care clearing house covered under HIPAA;
        3. The information is requested by a professional who is a member of RowanSOM’s workforce or business associate for the purpose of providing professional services to RowanSOM, if the professional represents that the information requested is the minimum necessary for the stated purpose; or
        4. Documentation or representations are made that comply with the requirements of 45 CFR 164.512(i) (regarding uses and disclosures involving research).
  9. Verification Requirement
    1. Each unit will verify the identity and authority of persons requesting PHI. Verification procedures should be reflected in policies and procedures accordingly.
    2. If the requesting person is a public official or someone acting on his or her behalf, units may rely upon the following:
      1. Agency identification badge, credentials or other proof of status;
      2. Government letterhead, if request is by letter;
      3. A written statement of the legal authority (or, if impracticable, an oral statement) under which the information is requested.
      4. If a request is made pursuant to a legal process, warrant, subpoena, order, or other legal process, it is presumed to constitute legal authority.
      5. For persons acting on behalf of the official, a written statement on government letterhead or other evidence or documentation that establishes that the person is acting under the public official's authority (such as contract for services, memo of understanding). In this event, units must contact the Office of Legal Management to inform of such request by Public Officials.
    3. A unit may rely on the exercise of professional judgment as to disclosures pursuant to facility directories, to persons involved in a patient’s care or payment and notification, and in relation to disaster relief as discussed in section V.F.3. and as to disclosures regarding serious threats to health and safety as discussed in Attachment 2.

VI. ATTACHMENTS

  1. Attachment 1, List of Identifiers and De-Identification Process
  2. Attachment 2, Disclosures of PHI No Authorization Required
  3. Attachment 3, Treatment, Payment and Health Care Operations

VIII. NON-COMPLIANCE AND SANCTIONS

Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules.  Civil and criminal penalties may be applied accordingly.  Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.



By Direction of the President:


Signature on file

__________________________________________
Chief Audit, Compliance and Privacy Officer


Signature on file

__________________________________________
Rowan Security Officer

ATTACHMENT 1

LIST OF IDENTIFIERS AND DE-IDENTIFICATION PROCESS

  1. RowanSOM may use protected health information (PHI) where information that can identify the individual not present and where RowanSOM has no reasonable basis to believe that information can be used to identify the individual. RowanSOM can create de-identified information by removing, coding, encrypting, or otherwise eliminating or concealing the following information regarding the individual, relatives, employers, or household members:
    1. Names
    2. Street address, city, county, precinct, zip code, and equivalent geocodes
    3. All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of 90 or older
    4. Birth date
    5. Telephone numbers
    6. Fax numbers
    7. Electronic mail addresses
    8. Social security number
    9. Medical record number
    10. Health plan beneficiary number
    11. Account numbers
    12. Certificate/license number
    13. Any vehicle identifiers and serial numbers, including license plate numbers
    14. Web Universal Resource Locator (URL)
    15. Internet Protocol (IP) address number
    16. Finger or voice prints; biometric identifiers
    17. Full face Photographic images; and any comparable images
    18. Any other unique identifying number, characteristic, or code that Rowan University has reason to believe may be identifiable to an anticipated recipient of the information.

  2. Research, Public Health and Healthcare operations - For disclosures for research use, only the following 9 identifiers must be removed:
    1. name
    2. street address
    3. telephone and fax number
    4. e-mail addresses
    5. social security number
    6. certificate/license number
    7. vehicle identifiers and serial numbers
    8. URLs and IP addresses
    9. Full face photos

  3. A covered entity can re-identify any information that has been de-identified as long as two conditions are satisfied. If the conditions are satisfied, a covered entity may use a code or some other method of recordation. First, the code or method of recordation cannot be derived from or related to information about the individual that would enable identification of the individual. Second, the covered entity cannot use or disclose either the code or other method of recordation or the mechanism for any other purpose or disclosure of the method for re-identification.

ATTACHMENT 2
DISCLOSURE OF PROTECTED HEALTH INFORMATION (PHI)
NO AUTHORIZATION REQUIRED

  1. Public Health Activities

RowanSOM may disclose Protected Health Information (PHI) for public health activities as follows:

  1. To public health authority that is authorized by law:
    1. To collect or receive such information for the purpose of preventing or controlling disease, injury or disability;
    2. To receive reports of child abuse or neglect;
  2. To persons subject to the jurisdiction of the Food and Drug Administration:
    1. To report adverse events, product defects or problems, or biological product deviations if the disclosure is made to the person required or directed to report such information to the FDA;
    2. To track products if the disclosure is made to a person required or directed by the FDA to track the product;
    3. To enable product recalls, repairs, or replacement; or
    4. To conduct post-marketing surveillance to comply with requirements or at the direction of the FDA.
  3. To a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition where RowanSOM is authorized by law to notify the person as necessary in the conduct of public health intervention or investigation; or
  4. To a RowanSOM Unit about an individual who is a member of the Unit's work force if:
    1. RowanSOM provides health care to the individual at the request of the Unit to conduct medical surveillance of the workplace or to evaluate individuals for work-related illness or injury;
    2. The PHI consists of findings concerning work-related illness or injury or workplace related medical surveillance;
    3. The Unit needs the findings to comply with its obligations under 29 CFR Part 1904-1928 (Occupational Safety and Health Administration regulations) or 30 CFR Parts 50-90 (Mine Safety and Health Administration) or under similar state law, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; or
    4. RowanSOM gives written notice to the individual that PHI relating to the medical surveillance of the workplace and workplace related illnesses and injuries is disclosed to the Unit by giving a copy of the notice to the individual when the health care is provided or if the healthcare is provided on the worksite of the employer, by posting the notice prominently where the health care is provided.

2. Victims of Abuse, Neglect, or Domestic Violence

In addition, RowanSOM may disclose PHI to a government authority about individuals reasonably believed to be victims of abuse, neglect, or domestic violence. Such disclosures involving adults are permitted if:

  1. The disclosure is required by law and the disclosure is limited to the requirements of such law.
  2. The individual agrees to the disclosure.
  3. The disclosure is expressly authorized by statute or regulation, and
    1. RowanSOM believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
    2. If the individual cannot agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

RowanSOM must promptly inform the individual of such report unless the provider believes informing the individual would place the individual at risk of serious harm or the provider would be informing a personal representative that the covered entity believes is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interest of the individual.

3. Health oversight activities

RowanSOM may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for the appropriate oversight of

  1. the health care system, 
  2. government benefit programs for which health information is relevant to beneficiary eligibility, 
  3. entities subject to government regulatory programs that need health information to determine compliance with program standards, or entities subject to civil rights law that need health information to determine compliance.

RowanSOM may not disclose PHI under this section if an investigation or other activity relates to an individual but does not arise out of and is not directly related to:

  1. the receipt of health care; 
  2. a claim for public benefits related to health; or 
  3. qualifications for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.

4. Judicial and administrative proceedings

The RowanSOM Office of Legal Management will respond to all judicial and administrative proceedings. The Office of Legal Management will review the requests and either responds to the issuer of the request or advice about compliance with the request.

5. Law enforcement purposes

RowanSOM may disclose PHI to a law enforcement official if:

  1. The law enforcement official is conducting or supervising a law enforcement inquiry or proceeding authorized by law and the disclosure is:
    1. A warrant, subpoena, or order issued by a judicial officer (that documents a finding by the judicial officer);
    2. A grand jury subpoena; or
    3. An administrative request, including an administrative subpoena or summons, a civil investigative demand, or similar process authorized under law, provided that:
      1. The information sought is relevant and material to a legitimate law enforcement inquiry;
      2. The request is as specific and narrowly drawn as is reasonably practicable; and
      3. De-identified information could not reasonably be used.
  2. If the disclosure is for the purpose of identifying a suspect, fugitive, material witness, or missing person, RowanSOM may disclose only the following information: 
    1. Name
    2. Address
    3. Social security number
    4. Date of birth
    5. Place of birth
    6. Type of injury or other distinguishing characteristic
    7. Date and time of treatment. 
  3. If the disclosure is of the PHI of an individual who is suspected to be a victim of a crime, abuse, or other harm, if the law enforcement official states that:
    1. such information is needed to determine whether a violation of law by a person other than the victim has occurred; and
    2. immediate law enforcement activity that depends upon obtaining such information may be necessary. 
  4. For purposes of alerting law enforcement of the death of an individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.
  5. To a law enforcement official if the covered entity believes in good faith that the PHI constitutes evidence that criminal conduct occurred on the premises of the covered entity.
  6. Disclosure of PHI to a law enforcement official where: 
    1. a provider is providing health care in response to a medical emergency (other than on the premises of the provider) and
    2. such disclosure is necessary to alert law enforcement to the commission and nature of a crime, the location of the crime or its victims, and the identity, description, and location of the perpetrator (provided that victims of abuse, neglect or domestic violence will be treated in accordance with the provisions in Section 2 above). 

All requests for disclosure of PHI by a law enforcement official must be referred to Legal Management for review prior to disclosure.

6. Deceased Individuals

The PHI of a deceased individual may be disclosed without the personal representative's permission for three specific reasons that would not apply to living persons:

  1. For information needed by coroners, medical examiners and funeral directors.
  2. For information needed to facilitate an organ donation.
  3. To alert a law enforcement agency of the death if the covered entity has a suspicion that such death may have resulted from criminal conduct. If the agency is already investigating the death, other law enforcement powers to obtain PHI may apply. 

Otherwise, health records of deceased persons are protected as that of a living person and for up to 50 years after the pronouncement date.

7. Organ DonationRowanSOM may disclose PHI to organ procurement organizations or other entities engaged in procurement, banking, or transplantation of cadaveric organs, eyes or tissues for the purpose of facilitating organ, eye, or tissue donation and transplantation.
8. Research Purposes
  1. RowanSOM may use or disclose PHI for research, regardless of the source of funding of the research, provided that RowanSOM has obtained a written waiver, in whole or in part, of authorization for use or disclosure of PHI that has been approved by the IRB, in whole or in part, and satisfying the following criteria:
    1. The use or disclosure of PHI involves no more than minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: 
      1. an adequate plan to protect the identifiers from improper use and disclosure;
      2. an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
      3. adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use and disclosure of PHI would be permitted under federal and state law.
    2. The research could not practicably be conducted without the waiver;
    3. The research could not practicably be conducted without access to and use of the PHI. 
  2. RowanSOM must obtain from the researcher representations that: 
    1. Use and disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research; 
    2. No PHI is to be removed from Rowan University SOM by the researcher in the course of the review; and 
    3. The PHI for which use or access is sought is necessary for research purposes. 
  3. As to research on decedent's information, RowanSOM must obtain from the researcher:
    1. Representation that the use and disclosure is sought solely for research on the PHI of decedents;
    2. Documentation, at the request of RowanSOM, of the death of such individuals; and representation that the PHI for which use and disclosure is sought is necessary for research purposes.
9. Emergency Circumstances to Avert Threats to SafetyRowanSOM may, consistent with applicable law and standards of ethical conduct and based on a reasonable belief that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual, use or disclose PHI to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.
  1. In making such a disclosure, RowanSOM is presumed to have acted under a reasonable belief, if the disclosure is made in good faith based upon a credible representation by a person with apparent knowledge or authority (such as a doctor or law enforcement or other government official) (NJSA 2A:62A-16).

ATTACHMENT 3

TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS


  1. "Treatment" - the provision, coordination, or management of health care and related services by one or more health care providers, includes:
    1. the coordination or management of health care by a health care provider with a third party;
    2. consultation between health care providers relating to a patient; or
    3. the referral of a patient for health care from one health care provider to another.
  2. "Payment" - the activities undertaken to obtain payment for the provision of healthcare; and relates to the individual to whom health care is provided and includes, but is not limited to:
    1. Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
    2. Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
      1. Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity.
      2. Debt collection is recognized as a payment activity.
    3. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
    4. Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; an
    5. Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of reimbursement:
      1. Name and address;
      2. Date of Birth;
      3. Social Security Number;
      4. Payment history;
      5. Account number; and
      6. Name and address of the health care provider and/or health plan.
  3. Health Care Operations" - any of the following activities:
    1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contracting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
    2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care providers, accreditation, certification, licensing, or credentialing activities;
    3. Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
    4. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
    5. Business management and general administrative activities of Rowan University School of Medicine, including, but not limited to:
      1. Resolution of internal grievances;
      2. Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.