To establish a policy that ensures compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and Omnibus Privacy Final Rule of 2013 in the destruction and disposal of documentation containing Protected Health Information (PHI).
Under the direction of the President, the Senior Vice President for Medical Initiatives and Affiliated Campuses , Senior Vice President and CIO, General Counsel, Dean, Associate Deans, Department Chairs, Chief Audit, Compliance & Privacy Officer, Vice President for Research, Executive Director, and the Director of Information Security Officer shall implement and ensure compliance with this policy.
This policy shall apply to health information that is generated during provisions of health care to patients in any of the RowanSOM patient care units, patient care centers or faculty practices as well as Human Subjects research under the auspices of RowanSOM or by any of its agents in all RowanSOM Schools, Units, Departments and RowanSOM owned or operated facilities.
“Protected Health Information (PHI)” - Protected health information means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. The PHI of an individual patient, who has been deceased for more than 50 years, is no longer protected [164.502(f)].
RowanSOM Departments and RowanSOM owned or operated facilities shall appropriately protect the privacy of health information that can identify an individual in compliance with federal and state law. RowanSOM will act responsibly in the maintenance, retention and eventual destruction and disposal of all material containing PHI, which includes PHI on fax and copier machine hard drives. The destruction and disposal of PHI will be carried out in accordance with HIPAA regulations and RowanSOM policy. All PHI will be destroyed in a manner in which it cannot be recovered or reconstructed by leveraging the shredding bins provided directly on RowanSOM sites. Medical records will be maintained and destroyed in accordance with the RowanSOM policy, Records Management.
Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules. Civil and criminal penalties may be applied accordingly. Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.
By Direction of the President:
Signature on file
Chief Audit, Compliance & Privacy Officer