Policy
Manual |
Classification Number: 10.7 Date Issued:04/21/03 |
|
Subject: Protected Health Information Privacy Policy
Applicability: All University of North Texas faculty, staff, students, healthcare volunteers, and business associates or agents who are granted access to Protected Health Information.
10.7.1 Topics the Policy Covers
[45 CFR 164.502(a)-(j)]
This policy is the guidance and regulation component of
Department of Health and Human Services requirements that the University of
North Texas (UNT) communicate clear and specific compliance standards and
procedures to applicable parties regarding the prohibited and required uses and
disclosure of Protected Health Information (PHI). The policy provides standards
and regulations for:
·
Notice of privacy practices
·
Permitted uses and disclosures of PHI
o
Consent, and what makes a consent valid or defective
·
Verification requirements
·
When the “minimum necessary” standard applies to uses and
disclosures
·
Patient rights
o
Access to their own PHI
o
Use and disclosure of Psychotherapy notes
o
Authorizations
o
Uses and disclosures of PHI consistent with notice
o
Resolving conflicting consents and authorizations
o
To restrict the use and disclosure of their own PHI
o
To amend their own PHI
o
To receive an accounting of disclosures of their PHI
o
To receive treatment without waiving their rights to complain
·
Treating a personal representative as the individual whose health
information is protected, in the cases of
o Adults and emancipated minors
o Un-emancipated minors
o Deceased individuals, and
o
Individuals subjected to abuse, neglect, or endangerment
· Creating de-identified information from PHI and regulations for use and disclosure of de-identified PHI for research or other legitimate purposes
·
Confidential communications
o
Fax communication
o
Email communication
o
Confidentiality of substance abuse records
o
Storage of PHI
o
Printing and Copying PHI
o
Disposal of PHI
· Disclosures to business associates and standards for business associate contracts
· Designation of Privacy Officer and Contact Person
· Training of workforce members
· Safeguards
· Complaint process
· Sanctions for improper use or disclosure
· Mitigation of effects of improper use or disclosure
· Prohibition of intimidating and retaliatory acts
· Changing policies whenever required
·
Retaining documentation
This policy is one component of the requirements of 45 CFR
164.530 that UNT have a policy that is consistent in scope with its covered
healthcare activities. Each healthcare component of UNT must also elaborate on
any sections of this policy that its mission and scope requires. Policy
additions made by healthcare components may be more restrictive than the
requirements of this policy, but they cannot be less restrictive. Each
healthcare component must also create procedures and forms that comply with this
policy, federal, and Texas laws and regulations, and that are consistent with
its mission and its operations. It must also train its workforce in the use of
its procedures and forms.
10.7.1.1
Definitions
Throughout this policy:
· The term “individual” refers to a patient or a client of the healthcare provider
· The term “workforce member” refers to a member of the faculty, staff, or student body who is an employee of the University of North Texas or who is a volunteer or intern performing duties in a healthcare component of UNT, and who is supervised by a member of the healthcare component’s administrative structure.
10.7.2 Patient Notice of Health Information Practices
[45 CFR 164.520]
An individual has a right to adequate notice of the uses and disclosures of PHI
that may be made by healthcare components of UNT, and of the individual’s
rights and UNT’s responsibilities with respect to PHI. UNT healthcare
components are required to provide a Notice of Privacy Practices (NPP) to all
individuals, as well as to other individuals requesting a copy. Those persons
who register individuals will be responsible for distributing a copy of the NPP
to all individuals.
If an individual is treated on an emergency basis, the UNT healthcare component may delay providing the NPP and receiving an acknowledgement until a practical time.
10.7.2.2 Notice
The NPP must be written in plain language and must contain the following
elements:
o A description of the types of uses and disclosures that the UNT healthcare component is permitted to make, including at least one example for each of the following purposes: Treatment, Payment, and health care Operations (TPO);
o A description of each of the purposes for which the UNT is permitted or required to use or disclose PHI without the individual’s written authorization;
o A statement that other uses and disclosures will be made only with the individual’s written authorization, and that the individual may revoke such authorization, using the appropriate forms;
o A statement that the UNT component may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual; and
·
Individual rights. The NPP must contain a statement of the
individual’s rights with respect to PHI and a brief description of the
procedures that the individual would use to exercise these rights:
o The right to request restrictions on certain uses and disclosures of PHI;
o The right to receive confidential communications of PHI;
o The right of the individual to inspect and obtain a copy of the individual’s own PHI;
o The right to request an amendment to PHI;
o The right to receive an accounting of disclosures of PHI; and
o
The right of an individual, including an individual who has agreed
to receive the NPP electronically, to obtain a paper copy of the NPP on request.
·
Healthcare component’s duties. The NPP must contain a
statement that the UNT healthcare component:
o Is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI;
o Is required to abide by the terms of the NPP currently in effect; and
o Reserves the right to change the terms of its NPP and to make the new provisions effective for all PHI that it maintains. The statement must also describe how it will provide individuals with a revised NPP.
o Cannot delete anything from the record although amendments can be considered.
· Complaints. The NPP must contain a statement that individuals may complain to the UNT healthcare component, and to the Department of Health and Human Services, if they believe that their privacy rights have been violated, a brief description of how the individual may file a complaint with the UNT healthcare component, and a statement that the individual will not be retaliated against for filing a complaint.
· Contact. The NPP must contain the name, or title, and telephone number of a person or office to contact for further information.
·
Effective date. The NPP must contain the date on which the
NPP is first in effect, which may not be earlier than the date on which the NPP
is printed or otherwise published.
10.7.2.3 Electronic
Notice
·
If a UNT healthcare component develops an electronic NPP, it must
post a current copy on its web site.
·
If electronic mail is used to send a copy of the NPP to an
individual, the electronic mail communication must comply with Section 10.7.7.2
of this policy. If the UNT healthcare component becomes aware that the email
transmission was not successful, it must provide a paper copy of the NPP to the
individual.
·
Electronic notice by the UNT healthcare component satisfies the
notice requirement if receipt of the NPP is documented and retained by the
healthcare component.
·
The individual who is the recipient of an electronic notice
retains the right to obtain a paper copy of the NPP from the UNT healthcare
component on request.
10.7.2.4 Documentation
of Notice
The UNT healthcare component must document compliance with
the notice requirements by retaining copies of the NPP’s they have issued.
Those persons who register patients or clients shall be responsible for
distributing the NPP to all patients or clients, documenting receipt of the
acknowledgment form in an appropriate filing system, and retaining the original
signed form in the patient’s or client’s file or record. If the individual
refused to sign the acknowledgement form or if it was otherwise impossible to
receive an acknowledgement from the individual, the healthcare component must
document on the acknowledgement form the reason why written acknowledgement
could not be received.
The UNT healthcare component must promptly revise and make available its NPP
whenever there is a material change to its uses or disclosures, an individual’s
rights, UNT’s legal duties, or other privacy practices that are stated in the
NPP. Except when required by law, a material change to a term of the NPP may
not be implemented prior to the effective date of the NPP in which such material
change is reflected.
10.7.3 Uses and Disclosures of PHI
UNT workforce members may use and
disclose PHI for TPO only if the patient has signed and executed a Consent for
Treatment, which includes a Use and Disclosure of PHI form that grants UNT or
the UNT healthcare component and its workforce members the right to use and
disclose PHI to carry out TPO. However, this consent only allows UNT or the
healthcare component to use and disclose the “Minimum Necessary” amount of
information required to complete the desired task. In compliance with Texas
Health and Safety Code, Chapter 181, each UNT healthcare component shall develop
the necessary Consent acknowledgement form and ensure that individuals receive
it when they receive the NPP.
10.7.3.1 Definitions
“Use” with respect to
individually identifiable health information:
The sharing, employment, application, utilization, examination, or analysis of
such information within an entity that maintains such information.
10.7.3.2 Disclosure:
The release, transfer, provision of access to, or divulging in any other manner
of information outside the entity holding the information.
10.7.3.3 Treatment:
The provision, coordination, or management
of health care related services by one or more health care providers, including
the coordination or management of health care by a health care provider with a
third party; consultation between health care providers relating to a patient;
or for the referral of a patient for health care from one health care provider
to another.
10.7.3.4 Payment:
Any activities undertaken either by a
health plan or by a health care provider to obtain premiums determine or fulfill
its responsibility for coverage and the provision of benefits or to obtain or
provide reimbursement for the provision of health care. These activities include
but are not limited to:
Determining eligibility, and
adjudication or subrogation of health benefit claims;
Risk adjusting amounts due based on
enrollee health status and demographic characteristics;
Billing, claims management, collection activities, obtaining
payment under a contract for reinsurance,
and related health care processing;
Review of healthcare services with respect to medical necessity,
coverage under
a health plan, appropriateness of care, or justification of
charges;
Utilization review activities, including pre-certification and
preauthorization services,
concurrent and retrospective review of services; and
Disclosure to consumer reporting agencies of certain PHI relating
to collection of
premiums or reimbursement.
10.7.3.5 Health care operations: Any
one of the following activities to the extent the activities are related to
providing health care:
· Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting patients with information about treatment alternatives, and related functions that do not involve treatment;
· Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
· Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care;
· Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
· Business planning and development, such as conducting cost management and planning related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or covered policies, and;
·
Business management and general administrative activities:
o
Management activities related to HIPAA compliance;
o
Customer Service;
o
Resolution of internal grievances;
o
Due Diligence; and
o
Activities designed to de-identify health information and
fundraising
activities for the benefit of the institution.
10.7.3.6 Minimum Necessary: When using
or disclosing PHI or when requesting PHI from another health care provider or
health organization, UNT must limit PHI to the minimum necessary to accomplish
the intended purpose of the use, disclosure or request. Minimum Necessary does
not apply in the following circumstances:
· Disclosures by a health care provider for treatment (students and trainees are included as health care providers for this purpose);
· Uses and disclosures based upon a valid consent to use and disclose PHI for treatment, payment and health care operations or a valid authorization to use and disclose PHI;
· Disclosures made to the Secretary of Health and Human Services;
· Uses and disclosures required by law; and
·
Uses and disclosures required by other sections of the HIPAA
privacy regulations. For a more detailed explanation of Minimum Necessary, see
Section 10.7.4.
10.7.3.7 Indirect Treatment Relationship: A
relationship between an individual and a health care provider in which:
· The health care provider delivers health care to the individual based on the orders of another health care provider; and
·
The health care provider typically provides services or products,
or reports the diagnosis or results associated with the health care, directly to
another health care provider, who provides the services, products or reports to
the individual.
10.7.3.8 Surrogate decision makers, Minors, and
Deceased Individuals: For information regarding proper uses and
disclosures for Surrogate decision makers, Minors, and Deceased Individuals, see
Section 10.7.8.4.3.
10.7.3.9 Consents
Unless there is an emergency, UNT healthcare components
should not treat a patient if an individual has not signed and executed the
proper HIPAA consent form. UNT workforce members may use and disclose PHI for
TPO without obtaining the consent of the individual only in the following
instances:
When an indirect treatment relationship exists;
When an emergency situation exists;
When treatment is required by law; or
When substantial barriers in communication exist and the
patient’s consent is clearly
inferred from the circumstances.
If failure to obtain consent occurs, the reasons for the
failure to obtain consent must be documented on the consent form.
It should be clearly understood the Consent for the Use and
Disclosure of PHI does not allow UNT or its workforce members to use or disclose
PHI for any reasons other than for TPO. For UNT to use and disclose PHI for
purposes other than for TPO, the individual must sign an authorization (see
Section 10.7.5.3).
Psychotherapy notes are not to be included as PHI that may
be disclosed, unless consent is sought for each such use or disclosure. For
information regarding proper uses and disclosures for Psychotherapy notes, see
Section 10.7.5.3.1.2.
Consents to use and disclose PHI for TPO must have the
following elements for the consent to be effective:
Inform the patient or surrogate decision maker that PHI may be
used and disclosed to
carry out TPO;
Refer the patient or surrogate decision maker to the NPP for
a more complete
description of such uses and disclosures and state that the
patient or surrogate decision
maker has the right to review the NPP prior to
signing the consent;
State the patient or surrogate decision maker may request a
restriction be placed on
the consent (see Section 10.7.5.4.1); and
The consent must be signed by the patient or surrogate decision
maker and dated.
UNT healthcare components reserve the right to change their
privacy practices
described in their NPP. If a UNT healthcare component
changes the terms of its NPP,
it will describe how the patient or surrogate
decision maker may obtain a revised NPP.
10.7.3.9.1 Defective consents: Lack an
element required in the consent or become defective if the consent has been
revoked
10.7.4 Minimum Necessary Use
and Disclosure
[45 CFR 164.502(b), 164.514(d)]
For purposes other than those listed below, the use and
disclosure of PHI must be limited to the minimum necessary to satisfy the
request or to complete the task. However, if the use or disclosure is for
treatment purposes, no limitation to the use and disclosure shall apply. Each
UNT healthcare component shall develop the necessary procedures and training to
implement the requirements of this section.
The minimum necessary provisions SHALL NOT APPLY to the use
and disclosure of PHI:
·
For treatment purposes;
·
For information requested by the individual to whom it belongs;
·
For information requested pursuant to a valid authorization by the
individual;
·
For compliance with standardized Health Insurance Portability and
Accountability
Act
(HIPAA) transactions;
·
For required disclosures to the Department of Health and Human
Services for
enforcement purposes; or
·
For instances required by law
10.7.4.1 Limitations and Use and Disclosure
All persons who handle PHI in any manner are expected to
know and to abide by the following:
·
Determining workforce access to PHI. Access to PHI shall be
granted to persons
based on their role, as determined by their supervisor,
manager, and department
head. The UNT healthcare component shall identify:
o
Those persons or classes of persons in the UNT workforce,
including
students, trainees, and volunteers, who need access to PHI to carry
out
their duties, and
o
For each such person or class of persons, the category or
categories of
PHI to which access is needed and any conditions appropriate to
such
access.
·
Requests for Uses or Disclosures of PHI. Except in
emergency situations, any
person requesting PHI from the medical record
custodian must include the
requestor’s name, unique identifier, and the amount
of information requested.
·
Audits. The UNT healthcare component Privacy Officer shall
be responsible for
facilitating random checks to ensure that the minimum
necessary standard is being
applied when using and disclosing PHI.
·
Requests for uses and disclosures of entire medical records.
Medical record
custodians must not release the entire medical record to other
UNT departments or
business associates unless necessary.
·
Good faith judgment. The medical record custodian may rely
on the belief that the
PHI requested is the minimum amount necessary to
accomplish the purpose of the
request when:
o
The information is requested by a person previously approved for
access;
o The information is requested by a professional providing
professional
services either as an employee or as a business associate (such as
the UNT
System Office of the Vice Chancellor and General Counsel);
o
Making disclosure to entities or agencies associate with health
related
purposes that do not require consent, authorization, or opportunity to
agree
or object and also that the requesting official states that the
information is the
minimum necessary or is required by law;
o
IRB or privacy board documentation represents that proposed
research
meets the minimum necessary standard;
o
A requester asserts that the information is necessary to prepare a
research
protocol; or
o
A requester asserts the information is for research on decedents.
10.7.4.2 Disclosures for Payment
Only the minimum necessary PHI shall be disclosed for
payment functions, as provided by contractual agreements. Persons handling PHI
for payment shall not discuss or disclose information about an individual’s
diagnosis or treatment. This policy shall apply to checks collected, credit card
paper receipts, envelopes and invoices sent to patients or clients.
10.7.4.3 Disclosures Required by Law
PHI about a victim of crime or abuse: UNT may only release
the minimum necessary amount of information to law enforcement officials, unless
the law requires certain other information to be released, in which case UNT
must comply with relevant statutes, laws, regulations, and subpoenas.
In response to an order of a court or an administrative
tribunal, UNT must release all information, but only that information, required
by the order. The minimum necessary standard does not apply.
10.7.4.4 Disclosures or Worker's Compensation
PHI may be disclosed to comply with Worker’s Compensation
laws and regulations without the consent, authorization, or opportunity to
object by an individual. Such disclosure will be only the minimum necessary
information. The records’ custodian and the UNT System Office of the Vice
Chancellor and General Counsel must carefully review and approve requests for
entire records.
10.7.4.5 Disclosures to
Family and Friends
Such disclosures must comply
with Section 10.7.8.3.13 of this policy.
10.7.4.6 Minimum Necessary Use and Disclosure for
Student Workers, Trainees, and Volunteers
Students, trainees, and volunteers are to adhere to the
minimum necessary standard. They shall have access to records only to the degree
that their duties require this access, and their supervisor shall train them in
the privacy regulations of the UNT healthcare component in which they provide
services. Individual healthcare components may implement a more restrictive
policy with respect to student access to records.
10.7.4.7 Minimum Necessary Use and Disclosure for
Educational Purposes
Faculty, staff, students, and trainees are to use
de-identified information when in a classroom setting. A patient’s identifying
information is not needed for educational purposes.
10.7.5.1 Relationship
Between HIPPA and FERPA
FR, December 28, 2000, p. 82483
The HIPAA Privacy Regulations safeguards “protected health information,” whereas the Family Educational Rights and Privacy Act (FERPA) deals with the privacy of “education records.” The U.S. Department of Health and Human Services specifically exempted from its definition of “protected health information” FERPA’s education records.
FERPA defines education records as
those records that contain information directly related to a student that are
maintained by an education agency, institution or a person acting for the agency
or institution. FERPA education records do not include records of students who
are 18 years or older, or are attending post-secondary educational institutions,
that are:
·
Created or maintained by a physician, psychiatrist, psychologist,
or recognized
professional or paraprofessional acting or assisting in that
capacity;
·
Created, maintained, or used only in connection with the provision
of treatment to
the student; and
·
Not available to anyone, except a physician or appropriate
professional reviewing
the record as designated by the student.
Any use or disclosure of the above
medical records for other purposes, including providing access to the individual
student who is the subject of the information, turns the record into an
educational record protected by FERPA. However, a student may access his or her
medical records by making a request under the Texas Public Information Act. To
avoid the need to apply two different standards to student records, HIPAA
excludes from its definition of “protected health information” the student
medical records that an educational institution obtains, whether or not they
qualify as education records.
This policy recognizes that both HIPAA and FERPA require
authorization from an individual to disclose their protected health information.
In some circumstances, FERPA requirements may be more stringent than HIPAA
requirements. To facilitate the operation of all UNT healthcare components, all
discussions of consents and authorizations in this policy apply to both HIPAA
and FERPA records. The healthcare component shall develop only one set of forms
and procedures to comply with both sets of federal regulations. The healthcare
component Privacy Officer shall be responsible for overseeing the processing of
authorizations and requests for PHI, regardless of which set of regulations
applies. However, the Privacy Officer will ensure that the permissions needed to
approve a HIPAA or FERPA request will be obtained from the proper authority. The
UNT System Office of the Vice Chancellor and General Counsel shall have the
authority to approve all FERPA requests, and is designated as the final
authority for many types of HIPAA requests.
There will be instances in which student records will be
converted from HIPAA records to FERPA records. For example, students with
disabilities requesting accommodations are often asked to produce a
physician’s certification of disability before the institution makes the
requested accommodation. The information disclosed by the
non-institution-affiliated physician ceases to be protected health information
under HIPAA once the information is shared, at the student’s request, with the
institution. UNT must accept this information and protect it as it would receive
and protect any other HIPAA PHI. However, now that the student has made the
medical information available to the institution, it falls under the protections
of FERPA and may not be further released without the student’s permission.
Under no circumstances may student medical or student
educational records be disclosed to the Department of Health and Human Services
as a part of an HHS audit or investigation of any UNT healthcare component.
10.7.5.2 Access and Denial of Patient Request for PHI
[45 CFR 164.524]
The Privacy Officer of the healthcare component that
retains the individual’s records shall be responsible for processing or
denying requests by an individual to that individual’s own PHI.
Individuals have a right to inspect and receive a copy, at
their own expense, of the PHI that is in their designated record, except for the
following:
·
Psychotherapy notes, which are discussed in Section 10.7.5.3.1.2,
below.
Individuals are entitled to request and receive a summary of
psychotherapy notes;
·
Information compiled in anticipation of use in a civil, criminal,
or administrative
action or proceeding;
·
PHI subject to the Clinical Laboratory Improvements Amendments of
1988
(CLIA);
·
Employee Assistance Program (EAP) records, which are not part of
the individual’s
record but which may be requested separately; and
·
PHI exempt from CLIA, pursuant to 42 CFR 493.3(a)(2), which is PHI
generated
by:
o
Facilities or facility components that perform forensic testing;
o
Research laboratories that test human specimens but that do not
report
patient-specific results for diagnosis, prevention, treatment, or
assessment of
the health of patients; and
o
Laboratories certified by the National Institutes on Drug Abuse (NIDA)
in
which drug testing is performed that meets NIDA guidelines and regulations.
However, other testing conducted by a NIDA-certified laboratory is not
exempt.
Each UNT healthcare component shall develop the procedures,
forms and workforce training to enable individuals to request access to and
copies of their own PHI. The procedures developed must comply with the
following:
·
Individuals have the right to request access to their own PHI as
long as the PHI is
maintained in the records of the healthcare component;
·
If UNT or one of its healthcare components does not maintain the
requested PHI
but knows where the requested information is maintained, then it
must inform the
individual where to direct the request for access;
·
The individual must make the request in writing, using the
appropriate form;
·
Based on Texas law, UNT or the healthcare component must act on
the individual’s
request no later than the 15th calendar day after receipt of
the request and payment
of any necessary fee. If UNT is officially closed during
the entire 15-day period, the
request must be acted on in a reasonable time
following the reopening of the
university. UNT or the healthcare component
shall:
o Make the information available, in full or in part, for
examination; or
o
Inform the authorized requestor if the information does not exist,
cannot be
found, or is not yet complete. On completion or location of the
information,
UNT or the healthcare component shall notify the individual. If the
information does not exist or cannot be found, the
health care component
will make an official notation for file at the UNT
facility.
·
If access is granted, in whole or in part, UNT or the healthcare
component must comply with the following requirements:
o UNT or the healthcare component must provide the individual access
to his
or her PHI in the designated records, including inspection or receiving a
copy, or both. If the same PHI that is the subject of a request for access is
maintained in more than one designated record or at more than one location,
UNT
or the healthcare component need only produce the PHI once in
response to a
request for access;
o
UNT or the healthcare component must provide the individual with
access to
the PHI in the form or format requested by the individual, if it is
readily
reproducible in such a form or format, or if not, in a readable hard
copy or
other form or format that is agreed on by both parties;
o UNT or the healthcare component may provide the individual with a
summary of the PHI requested, in lieu of providing access to the PHI, or may
provide an explanation of the PHI to which access has been provided, if:
·
The individual agrees in advance to such a summary or explanation;
and
·
The individual agrees in advance to the fees imposed, if any, by
UNT
or the healthcare component for a summary or explanation.
Whether
summary or explanation, notation will be made by the health care component in
the file at the
UNT facility.
o UNT or the healthcare component must provide access as requested by the individual in a timely manner, including arranging with the individual for a convenient time and place to inspect or receive a copy of the PHI, or by mailing the copy of the PHI at the individual’s request. UNT or the healthcare component may discuss the format, scope, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access; and
o
If the individual requests a copy of the PHI or agrees to a
summary or explanation of its information, UNT or the healthcare component may
impose a reasonable, cost-based fee, provided that the fee includes only the
cost of:
· Copying, including the cost of supplies for and labor of copying the PHI requested. The fee schedule for these services is set by the State of Texas;
· Postage, if the patient has requested that the copy, summary, or explanation be mailed; and
·
Preparing an explanation or summary of the PHI, if agreed to by
the individual.
10.7.5.2.1
Denial of Access to PHI
·
UNT or the healthcare component must allow an individual to
request access to inspect or receive a copy of PHI maintained in their records.
However, UNT or the healthcare component may deny an individual’s request
without providing an opportunity for review when:
o An exception stated above exists;
o The individual agreed to temporary denial of access when consenting to participate in research that includes treatment, and the research is not yet complete;
o The records are subject to the Privacy Act of 1974, and the denial of access meets the requirements of that law; and
o
The PHI was obtained from someone other than UNT under a promise
of confidentiality, and access would likely reveal the source of the
information.
·
UNT or the healthcare component may also deny an individual
access for additional reasons, provided that the individual is given the right
to have such denials reviewed under the following circumstances:
o A licensed healthcare professional designated by the HIPAA Compliance Office has determined that the access is likely to endanger the life or physical safety of the individual or of another person;
o The PHI makes reference to another person who is not a healthcare professional, and a licensed healthcare professional designated by the HIPAA Compliance Office has determined that the access requested is likely to cause substantial harm to this other person; or
o
The request for access is by the individual’s surrogate
decision-maker, and a licensed healthcare professional designated by the HIPAA
Compliance Office has determined that access is likely to cause substantial harm
to the individual or to another person.
· If access is denied on the basis of any criterion above, the individual has the right to have the denial reviewed by a licensed healthcare professional designated by the HIPAA Compliance Office to act as the reviewing official. The designee must not have participated in the original decision to deny. UNT or the healthcare component must provide access or deny access in accordance with the determination of the reviewing official;
·
If UNT or the healthcare component denies access, in whole in or
part, to PHI, UNT or the healthcare component must comply with the following:
o To the extent possible, give the individual access to any other PHI requested, after excluding the PHI to which access was denied;
o
Provide in a timely manner written denial to the individual, in
plain language, the
following information:
§ The reason for the denial;
§ If applicable, a statement of the individual’s review rights, including a description of how the patient may exercise such review rights; and
§
A description of how the individual may complain to UNT.
o
If the individual has requested a review of a denial, the UNT
HIPAA Compliance Officer must designate a licensed UNT health care professional
who was not directly involved in the decision to deny access. UNT must promptly
refer a request for review to this licensed health care professional. The
licensed health care professional must determine, in a reasonable period of
time, whether to provide or to deny access to the requested PHI. The UNT HIPAA
Compliance Office must promptly provide written notice to the individual
detailing the findings of the reviewing health care professional, and must then
direct that appropriate action be taken to provide or deny access, as addressed
in this section.
Each UNT healthcare component shall develop the necessary
procedures, forms, and training of their workforce members to implement the
requirements for processing authorizations and using them for the disclosure of
PHI, as discussed in the following sections.
10.7.5.3.1
Authorization Requirements for Use and Disclosure
[45 CFR 164.508(a)]
10.7.5.3.1.1 General Requirements
A patient or client must always sign an authorization to
release PHI for reasons that are not related to TPO.
An individual requesting the release of the individual’s
own PHI must complete and sign the authorization form developed by the
healthcare component. UNT’s release of PHI must comply with the directives
stated in the authorization. The UNT healthcare component must save all signed
authorizations in the individual’s record.
PHI may be disclosed without an authorization or without
consent if the law requires such disclosure. All the cases in which this is
required and permitted are stated elsewhere in this policy. The UNT healthcare
component from which PHI is released by the healthcare component or by UNT must
document the disclosure in its database used for this purpose.
10.7.5.3.1.2 Requirements for Disclosure of Psychotherapy Notes
The UNT healthcare component may not use or disclose
psychotherapy notes for purposes other than TPO without obtaining the
patient’s or client’s signed authorization. The healthcare component also
cannot disclose the psychotherapy notes to the patient or client without his or
her signed authorization.
An authorization for use or disclosure of psychotherapy
notes for TPO is not required under the following situations:
· The notes originated in the same UNT healthcare component that is carrying out treatment;
· The healthcare component is disclosing de-identified information from the notes for training programs in which students, trainees, or practitioners in mental health learn how to improve their skills. Only de-identified information may be used for such a purpose;
· The information will be used or disclosed to defend UNT in a legal action, or in any other proceeding in which UNT is a party;
· When the healthcare component must use or disclose the information as required by the Secretary of Health and Human Services to investigate, audit, or determine compliance with privacy regulations in the UNT healthcare component. However, psychotherapy notes relating to a student may not be released to HHS, as these are either medical records exempt from FERPA or they may be student records, both of which are not covered by HIPAA;
· The use or disclosure is required by law and is limited to relevant requirements of the law;
· The healthcare component makes the disclosure to a health oversight agency that is carrying out its responsibilities to oversee the treatment and operations of the originator of the psychotherapy notes. The healthcare component may be required to enter into Business Associate Agreements with certain health oversight agencies; or
·
The healthcare component discloses information to coroners or
medical examiners for the purpose of identifying a deceased individual
determining a cause of death, or other duties authorized by law.
Specific requirements for disclosures that do not require
an authorization from an individual are covered elsewhere in this policy.
Texas law protects communications between an individual and
a professional providing treatment,
and also protects records of the identity, diagnosis, evaluation, or treatment
of an individual that is created or maintained by the professional. Texas law
does not specifically address psychotherapy notes. Consequently, either HIPAA or
FERPA regulations, whichever applies, will be followed by UNT healthcare
components.
10.7.5.3.2 Requirements
for Valid Authorization
[45 CFR 164.508(b)]
All authorizations must contain the required core elements. If the use or disclosure of an individual’s PHI is for reasons other than TPO, it may also need to include the elements needed:
·
For UNT’s own uses and disclosures;
·
By UNT for another entity’s uses and disclosures; or
·
For research that includes treatment.
These are discussed the
following sections.
10.7.5.3.2.1 Core Elements
[45 CFR 164.508(c)]
A valid authorization must contain at least the following
elements and must be written in plain language:
· A description of the information to be used or disclosed that identifies the information in a specific and meaningful way. Requests for substance abuse records, including Employee Assistance Program records, require an explanation of the purpose for the request;
· The name or other specific identification of the person or the class of persons who are authorized to make the requested use or disclosure;
· The name or other specific identification of the person or the class of persons to whom a healthcare component of UNT may make the requested use or disclosure;
· An expiration date for the request. Unless it is revoked sooner, the authorization is valid for 180 days after the date it is signed;
· A statement of the individual’s right to revoke the authorization in writing, any exceptions to the right to revoke, and a description of the process that the individual would use to revoke the authorization;
· A statement that the information use or disclosed pursuant to the terms of the authorization is no longer protected by the HIPAA privacy regulations, and it may be re-disclosed by the recipient;
· Signature of the individual and the date; and
·
If a personal representative signs for the individual, a
description of the representative’s authority to act for the individual.
10.7.5.3.2.2 Elements of
Authorization Needed for UNT’s Use and Disclosure
[45 CFR 164.508(d)]
·
A statement that UNT or the healthcare component will not
condition treatment, payment, or eligibility for benefits on the individual
providing the authorization, unless one of these exceptions exist:
o UNT may condition the provision of research-related treatment on provision of an authorization, or
o
UNT may condition the provision of health care that is solely for
the purpose of creating PHI for disclosure to a third party on provision of an
authorization for the disclosure of the PHI to such third party.
· A description of each purpose of the requested use or disclosure;
·
A statement that the individual may:
o Inspect or receive a copy of the PHI to be used or disclosed, and
o
Refuse to sign the authorization.
· If use or disclosure of the requested information will result in direct or indirect remuneration to UNT from a third party, a statement of such remuneration must be included
10.7.5.3.2.3 Elements of
Authorization Requested by UNT for Disclosures by Other Entities
[45 CFR 164.508(e)]
If a UNT healthcare component requests an authorization be
signed to obtain records from another covered entity for the healthcare
component to carry out TPO, the healthcare component must include the following
requirements in addition to the core elements:
· A description of each purpose of the requested use or disclosure;
· A statement that UNT or the healthcare component will not condition treatment, payment, or eligibility for benefits on the individual providing the authorization, except for an authorization on which payment may be conditioned; and
·
A statement that the individual may refuse to sign the
authorization
A copy of the authorization
shall be provided to the individual for signature.
10.7.5.3.2.4 Authorizations
Needed for Research That Includes Treatment
[45 CFR 164.508(f)]
See Section 10.7.8.3.9 and UNT Policy 16.5, Human Subjects
in Research, and its associated procedures.
10.7.5.3.2.5 Defective
Authorizations
[45 CFR 164.508(b)]
An authorization is considered defective and invalid if any
material information in the authorization is known by UNT or any member of its
workforce to be false, or if any of the following defects exist:
· The expiration date has passed or the expiration event is known by the UNT healthcare component to have occurred;
· The authorization has not been filled out completely or signed;
· The authorization is known by the UNT healthcare component to have been revoked;
· The authorization lacks any of the core elements; or
·
The authorization violates the exception allowing compound
authorizations for research purposes.
10.7.5.3.3 Compound Authorizations
An authorization for use and disclosure of PHI may not be
combined with any other document to create a compound authorization, except for
the following:
· An authorization for the use or disclosure of PHI created for research that include the treatment of the individual may be combined;
· An authorization for the use and disclosure of psychotherapy notes may only be combined with another authorization for use and disclosure of psychotherapy notes; or
·
An authorization, other than that for a use and disclosure of
psychotherapy notes, may be combined with any other such authorization.
10.7.5.4.1 Patient
Right to Restrict
[45 CFR 164.522(a)(b)]
UNT healthcare components must
permit an individual to request that the healthcare components restrict:
· Uses and disclosures of PHI about the individual to carry out TPO.
·
Permitted uses and disclosures as outlined elsewhere in this
policy.
Each healthcare
component shall develop the necessary forms and procedures to enable individuals
to request restrictions and shall provide workforce members with the training
necessary to carry out these procedures.
UNT healthcare components are not required to agree to a
restriction. If a healthcare component does agree to a restriction, UNT or the
healthcare component may not use or disclose PHI in violation of the
restriction, except when the individual who requested the restriction needs
emergency treatment and the restricted PHI is
required to provide emergency treatment.
UNT or a healthcare component may itself use the restricted
PHI or may disclose the restricted PHI to a health care provider for other
required treatment to the individual. If restricted PHI is disclosed to another
health care provider for emergency treatment, UNT or its healthcare components
must request that the health care provider not further use or disclose the PHI.
A restriction agreed to by a UNT
healthcare provider cannot be used to prevent:
· Uses or disclosures from being made to the individual for inspection and copying the individual’s own PHI;
· The individual from obtaining an accounting of disclosures of PHI; or
·
For uses and disclosures for which consent, authorization, or
opportunity to agree or object is not required.
A10.7.5.4.1.1 Terminating a
Restriction
UNT healthcare component may
terminate its agreement to a restriction if:
· The individual agrees to or requests the termination in writing;
· The individual orally agrees to the termination and the oral agreement is documented; or
·
The UNT healthcare component informs the individual that it is
terminating the restriction. PHI created or received before the termination will
remain restricted. PHI created or received after the termination will no longer
be restricted.
10.7.5.4.1.2 Confidential Communications
A request for restricting confidential communications can
occur anytime and requires a change in the individual’s designated address.
UNT healthcare components must permit individuals to make requests and must
accommodate reasonable requests to receive communications of PHI from UNT
healthcare components by alternative locations or address. UNT healthcare
components:
· May require that individuals make a request for confidential communication in writing;
·
May condition the provision of a reasonable accommodation on:
o Information regarding how any payment will be handled, if appropriate; and
o
Specification of an alternative address or other method of
contact.
·
May not require and explanation from the individual as to the
basis for the request as a condition of providing communications on a
confidential basis.
It is the individual’s responsibility to change an
address back to the original designated address.
10.7.5.4.1.3 Right to Amend
One’s Own Protected Health Information
[45 CFR 164.526(a)-(f)]
Patients have the right to amend information collected and
maintained about their in their records.
All workforce members must
strictly observe the following standards:
· An individual has the right to have a UNT healthcare component amend PHI or a record about the individual in a designated record for as long as the PHI is maintained in the record;
·
A UNT healthcare component may deny an individual’s request for
amendment, if it determines that the PHI or record that is the subject of the
request:
o Was not created by the UNT healthcare component, unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
o Is not part of the individual’s designated record;
o Would not be available for inspection under the Access and Denial Request for PHI section of this policy; or
o
Is accurate and complete.
· The individual must make the request to amend the PHI in writing with a reason to support the requested amendment. The request shall be on the form developed for this purpose by the healthcare component.
· The UNT healthcare component must accept all requests to amend PHI in the designated record. However, the healthcare component is not required to act on the individual’s request if one of the conditions for denying the request is found to exist.
·
The healthcare component must act on the individual’s request
for an amendment no later than 60 days after the receipt of the request. If the
healthcare component is unable to act on the amendment within the required 60
day time limit, it may extend the time for its action by no more than 30
additional days, provided that:
o The healthcare component provides the individual with a written statement of the reasons for the delay and the date by which action on the request will be completed, and
o
The healthcare component may have only one such extension of time
for action on a request for an amendment.
·
If the amendment is granted, in whole or in part, the UNT
healthcare component must:
o Make the appropriate amendment to the PHI or record that is the subject of the request for amendment by at least identifying the records that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
o Inform the individual in a timely manner that the amendment is accepted and obtain the individual’s identification of and agreement to have the healthcare component notify the relevant persons with which the amendment needs to be shared.
o
Make reasonable efforts to inform and provide the amendment within
a reasonable time to:
§ Persons identified by the individual as having received PHI about the individual and needing the amendment, and
§
Persons, including business associates, that the healthcare
component knows have the PHI that is the subject of the amendment and that may
have relied, or might reasonably rely, on this information to the detriment of
the individual.
·
If the requested amendment is denied, in whole or in part, the
healthcare component must provide the individual with a timely, written denial.
The denial must use plain language and contain:
o The basis for the denial, in accordance with the procedures specified in this section.
o Notice that the individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement.
o A statement that, if the individual does not submit a statement of disagreement, the individual may request that the healthcare component provide the individual’s request for amendment and the denial of the amendment whenever it makes future disclosures of the individual’s PHI.
o
A description of how the individual may file a complaint with UNT,
or with the UNT System Office of the Vice Chancellor and General Counsel with
respect to student medical records, or to the Secretary of the Department of
Health and Human Services with respect to records protected by the HIPAA Privacy
regulations.
·
Additionally, for denials:
o The healthcare component must permit the individual to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such a disagreement. The healthcare component may reasonably restricted the length of any statement of disagreement;
o The healthcare component may prepare a written rebuttal to the individual’s statement of disagreement. Whenever a rebuttal is prepared, a copy of the rebuttal must be provided to the individual who submitted the statement of disagreement;
o The healthcare component must identify, as appropriate, the record or PHI in the designated record that is the subject of the disputed amendment and append or otherwise link the individual’s request for an amendment, the denial of the request, the individual’s statement of disagreement, if any, and the rebuttal, if any, to the designated record;
o
In its future disclosures:
§ If a statement of disagreement has been submitted by the individual, the healthcare component must include the individual’s request for an amendment, the denial of the request, the individual’s statement of disagreement and the rebuttal, if any, or an accurate statement of any such information, with any subsequent disclosures of the PHI to which the disagreement relates;
§ If the individual has not submitted a written statement of disagreement, the healthcare component must include the individual’s request for amendment an its denial, or an accurate summary of this information, with any subsequent disclosures of the PHI only if the individual has requested such action; or
§
When a subsequent disclosure is made using a standard transaction
that does not permit the additional material to be included with the disclosure,
the healthcare component may transmit the material required under separate cover
to the recipient of the standard transaction.
o
If the healthcare component is informed by another provider or
payer that an amendment has been made to the individual’s PHI within the
outside entity’s records, the UNT healthcare component must amend the PHI in
the designated records that have been received from that outside entity.
However, the UNT healthcare component is not required to amend the PHI in its
own records based on the determination of the outside entity, unless the
healthcare component regards the findings of the outside entity reliable.
Questions concerning reliability should be discussed with the UNT System Office
of Vice Chancellor and General Counsel.
Each UNT healthcare
component shall develop the procedures, forms, and training for its workforce
members that are necessary to carry out the requirements of this section.
10.7.5.4.3. Accounting for Disclosures and Patient
Access to Disclosure Logs
[45 CFR 164.528(a)-(d), 164.530(i)(1)]
Individuals shall have the right to receive an accounting
of PHI disclosures made by UNT healthcare components in the six years prior to
the request (or a shorter time period if requested). Disclosures include those
to and by business associates. However, UNT healthcare components are not
required to account for disclosures that occurred prior to the compliance date
of April 14, 2003.
UNT healthcare components must account for disclosures of
PHI for occurrences other than TPO. These require an authorization from either
the individual or a surrogate decision maker. However, referring physicians will
not require an authorization or accounting of disclosure of PHI. Disclosures for
law enforcement purposes or that are required by law do not need an
authorization.
10.7.5.4.3.1 Right to Accounting of Disclosure of PHI
UNT healthcare components must provide the individual with
a written accounting that meets the following requirements:
·
The accounting for each disclosure must include:
o The date of the disclosure;
o The name of the entity or person who received the PHI and, if known, the address of this entity or person;
o A brief description of the PHI disclosed; and
o
A brief statement of the purpose of the disclosure that reasonably
informs the individual of the basis for the disclosure, or in lieu of such a
statement:
§ A copy of the individual’s written authorization, or
§
A copy of a written request for a disclosure, if any.
·
If a UNT healthcare component has made multiple disclosures of the
PHI to the same person or entity for a single purpose, or resulting from a
single authorization, the accounting may provide, for these multiple
disclosures:
o The information required above;
o The frequency, periodicity, or number of the disclosures made during the accounting period; and
o
The date of the last such disclosure during the accounting period.
·
The healthcare component must act on the individual’s request
for an accounting no later than 60 days after receipt of the request, as
follows:
o Provide the individual with the accounting requested, or
o
If unable to provide the accounting within the time required, it
mat extend the time to provide the accounting by no more than 30 days, provided
that:
§ The healthcare component, within the 60 day time limit, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting, and
§
The healthcare component may have only one such extension of time
for action on a request for an accounting.
·
The healthcare component must provide the first accounting to an
individual in any 12-month period without charge. The healthcare component may
impose a reasonable, cost-based fee for each subsequent request for an
accounting by the same individual with the same 12-month period, provided that
the healthcare component informs the individual in advance of the fee and
provides the individual with an opportunity to withdraw or to modify the request
for a subsequent accounting in order to avoid or to reduce the fee. The fee
schedule for these services is set by the State of Texas.
10.7.5.4.3.2 Exceptions to
the Right of Accounting of Disclosures
In accounting for disclosures of
PHI:
· The UNT healthcare component must temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official if this agency or official provide the healthcare component with a written statement that such an accounting to the individual would reasonably be likely to impede the agency’s activities. The written statement must specify the time for which such a suspension is required.
·
If the agency or official suspends an individual’s right to
receive an accounting of disclosures and the statement is made orally, the UNT
healthcare component must:
o Document the statement, including the identity of the agency or official making the statement.
o Temporarily suspend the individual’s right to an accounting of disclosures subject to the statement.
o
Limit the temporary suspension to no longer than 30 days from the
date of the oral statement, unless a written statement from the suspending
agency or official is submitted during this 30-day time period.
The UNT healthcare component is
not required to account for the following disclosures:
· To carry out TPO.
· To individuals requesting their own PHI.
· To person’s involved in the individual’s care or for other notification purposes.
· For national security or intelligence purposes.
· To law enforcement officials.
·
That occurred prior to the compliance date of April 14, 2003.
10.7.5.4.3.3
Documentation for Accounting of Disclosures
The workforce members of
the UNT healthcare component are required to account for disclosures of PHI by
documenting any such disclosure. Each healthcare component shall develop the
necessary procedures, training of workforce members, and database or filing
system that will contain the accounting of disclosures and that will comply with
this section.
10.7.6.1.1 Implementing
Policies and Procedures
[45 CFR 164.530(i)(1)]
This
policy was developed to ensure the privacy of PHI regarding any individual
receiving healthcare services from a component of UNT. This policy complies with
the U.S. Department of Health and Human Services Standards
for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164, the Texas Medical Privacy Act, and any other
applicable federal or state law or regulation.
10.7.6.1.2 Changing
Policies and Procedures
[45 CFR 164.530(i)(2)]
The UNT HIPAA Compliance Officer is responsible for
maintaining this policy. If changes in federal or Texas laws or regulations
require changes in this policy, the UNT HIPAA Compliance Officer will consult
with necessary parties both within and outside the University to develop the
required policy changes.
Changes in this policy may also be requested by University
management or by the management or Privacy Officer of any healthcare component
within the University. Proposed changes will be submitted to the UNT HIPAA
Compliance Officer for consideration and development. Changes in this policy
must be approved by the President of UNT and must be ratified by the UNT System
Board of Regents. The changes take
effect on approval of the President of UNT.
Healthcare components within UNT must also develop a
procedure for changing their policies and procedures and for updating forms,
records, and agreements.
If changes in policies or procedures materially affect the
way in which workforce members carry out their duties, the affected workforce
members will be retrained in compliance with section 10.7.6.4.1 of this policy.
10.7.6.1.3 Documentation
of Policies and Procedures
[45 CFR 164.530(j)]
The UNT HIPAA Compliance Office must retain documentation
of these changes for a period of seven years from the time the documentation was
created, unless a longer period is prescribed by other federal or Texas
regulations.
UNT and its healthcare
components must maintain the policies and procedures required by the HIPAA
Privacy regulations in written or electronic form. Whenever a communication is
required to be in writing, UNT or its healthcare components, as appropriate,
shall maintain a record of this communication, or an electronic copy, as
documentation. Whenever an action, activity, or designation is required to be
documented, UNT or its healthcare components, as appropriate, shall maintain a
written or electronic record of such action, activity, or designation.
10.7.6.2.1 Safeguards
[45 CFR 164.530(c)]
Each UNT healthcare component must develop and implement
administrative procedures and practices, as well as technical and physical
safeguards that reasonably protect health information from intentional and
unintentional use and disclosure that violates federal or Texas law and
regulations.
10.7.6.2.2 Mitigation of
Harmful Effects from Unauthorized Use
[45 CFR 164.539(f)]
To the extent practicable, UNT will mitigate any harmful
effect that becomes known to UNT as a consequence of the use or disclosure of
PHI that violates federal or Texas laws, or the policies or procedures of UNT or
of its healthcare components.
Mitigation may include, but is
not limited to the following:
· Taking corrective measures to remedy the effect of the violation.
· Retraining workforce members responsible for the violation.
· Disciplining workforce members responsible for the violation, following the procedures specified in this policy and in the appropriate sections of the UNT Policy Manual.
· Revising UNT policies or procedure to prevent a recurrence of the violation.
·
Addressing problems with business associates, once UNT has been
made aware of the problems.
10.7.6.2.3 Waiver of
Rights
[45 CFR 164.530(h)]
Individuals who believe that a UNT healthcare component is
not complying with the standard or requirements of the Privacy Act, when their
medical records are protected by the Privacy Act, may file a complaint with the
Secretary of the Department of Health and Human Services, as well as or instead
of with the Privacy Officer of the healthcare component. The Privacy Act does
not cover student medical records. Individuals who are students may file a
complaint with the Privacy Officer of the healthcare component.
Individuals may not be asked or expected to waive their
right to file a complaint with the Secretary of HHS or the Privacy Officer as a
condition of receiving treatment by the healthcare component.
10.7.6.2.4 Effect of Prior Consents and
Authorizations
[45 CFR 164.532(a)]
If an individual, before April 14, 2003, signs an
authorization for the use and disclosure of the individual’s PHI either for
research purposes or for reasons other than research, this prior authorization
may continue to be used to use and release that PHI provided:
10.7.6.2.5 Privacy Officer
and Contact Person
[45 CFR 164.530(a)]
Each healthcare component of UNT shall designate a Privacy
Officer, who will maintain accountability for privacy within the department or
clinic. This individual may share this role with other duties, as long as a
conflict of interest is not created by their multiple duties. In cases where a
conflict of interest might arise, the Privacy Officer shall consult with the
healthcare component’s manager and with the UNT HIPAA Compliance Officer so
that an alternate person may be designated to assume those duties that create
the conflict of interest.
Each healthcare component of UNT shall also designate a
Contact Person, who may be the same individual as the Privacy Officer. The role
of the Contact Person is to accept complaints.
The Privacy Officer will oversee the healthcare
component’s Privacy Program, including:
· Developing and implementing privacy policies and procedures, in accordance with federal and Texas privacy requirements.
· Receiving and processing consents.
· Receiving and processing restrictions on consents.
· Receiving and processing revocations of authorizations.
· Overseeing that all members of the component’s workforce who come into contact with PHI are properly trained.
· Approving all disclosures that do not require a consent, authorization, or opportunity for the patient to agree or object.
· Providing information related to the Notice of Privacy Practices.
· Mitigating the effects of all disclosures that are not compliant with federal or Texas law or with the policies or procedures of the department or clinic.
· Conducting, at least annually, a review of the implementation of the “minimum necessary” requirements.
· Conducting, at least annually, a review of the component’s access procedures and relevant records.
· Guiding and assisting in the identification, implementation, and maintenance of privacy policies and procedures in conjunction with the component’s management, the UNT System Office of the Vice Chancellor and General Counsel, and the UNT HIPAA Compliance Officer.
· Reviewing all patient information security plans to align security and privacy practices.
· Performing initial and periodic risk assessments or “privacy audits” and conducting ongoing compliance monitoring activities.
· Overseeing that the component maintains appropriate consent and authorization forms, information notices, and materials that reflect current organization and legal practices and requirements.
·
Overseeing compliance with privacy practices and application of
sanctions for failure to comply with privacy practices.
This list provides an overview of the duties of the Privacy
Officer and is not comprehensive.
10.7.6.2.6 Security Officer
A healthcare component may elect to have the Privacy
Officer also serve as the Security Officer. Please see the Health Information
Security Policy for additional information on the duties of the Security
Officer.
10.7.6.3 Complaint Process
[45 CFR 164.530(c)]
Any individual who believes the rights granted by the
Health Insurance Portability and Accountability Act (HIPAA) privacy regulations
or any other state or federal laws dealing with privacy and confidentiality have
been violated may file a complaint regarding the alleged violation.
Each healthcare component of UNT shall develop and
implement a set of procedures that enable individuals to file a complaint in
case they believe that their privacy rights have been violated. These procedures
shall specify to whom a complaint shall be delivered and how it will be
investigated. If the complainant wishes to make an anonymous complaint, and if
the healthcare component has no provision to accept such a complaint, the
complaint can be filed using the form on the UNT Compliance Office website (www.unt.edu/compliance).
In situations involving workforce members who are students,
the Center for Student Rights and Responsibilities shall be notified of the
investigation. Members of the workforce who are found, after an investigation,
to have violated this policy or any federal or Texas law or regulation shall be
subject to appropriate and applicable disciplinary action, following the
procedures in UNT discipline policies.
10.7.6.4.1 Documented
Training Program
[45 CFR 164.530(b)]
The Privacy Officer of each healthcare component shall be
responsible for ensuring that members of the component’s workforce are
properly trained in the requirements of federal and Texas law. All members of
the workforce who come into contact with PHI in performing their job functions
shall be trained on the privacy laws and the procedures regarding PHI.
The term “workforce” includes, employees, volunteers,
and any other individual performing work for the healthcare component, who is
under direct control of the component’s management, regardless of whether or
not they are paid.
Training shall meet the
following requirements:
· All current members of the workforce shall complete training by April 14, 2003.
· Workforce members hired or engaged in duties after that date must complete training within two months following the date when they start their duties.
· The supervisor of the workforce member shall be responsible for initiating training.
· Workforce members whose duties are affected by a material change in the privacy laws or policies shall be retrained with two months after the change becomes effective.
·
Workforce members who have violated privacy laws, policies, or
procedures shall be retrained within thirty days of the determination.
The Privacy Officer shall document each training session
and the names of the workforce members who completed training.
Such documentation shall be maintained within the healthcare
component’s privacy records for at least seven years from the date of
training.
The Privacy Officer
shall provide a summary annual report of the component’s training activities
to the UNT HIPAA Compliance Officer.
10.7.6.4.2 Signed Employee Confidentiality Statement
All workforce members who come into contact with PHI in
performing their job function, and who have completed required training in
confidentiality procedures, shall acknowledge in writing that they have
completed their training, that they have received a copy of the healthcare
component’s confidentiality and security agreement, that they understand its
contents, and that they will comply with its provisions and with the provisions
of federal and Texas law, University policy, and the healthcare component’s
policies and procedures.
The component shall provide a form for this purpose and
shall keep it on file for a period of seven years from the date when it was
signed.
10.7.6.4.3 Sanctions for
Breaches
[45 CFR 164.530(e)]
Each healthcare component of UNT must develop and implement
a policy for disciplinary action in the event that a member of the workforce
uses or disclosures PHI in a manner that violates federal or Texas law or
regulations, or UNT policies.
10.7.6.4.3.1
Disciplinary Action.
The procedures for disciplinary action will be consistent
with UNT policies 1.7.1 and 1.15.33.
Healthcare components should provide examples of violations
that will result in disciplinary action. Examples of violations of privacy laws
and policies include but are not limited to:
· Discussing patient information in a public area.
· Leaving a medical record in a public area.
· Leaving a computer that contains PHI unsecured.
· Looking up a patient’s PHI for personal rather than for business and claims purposes.
· Accessing patient records out of concern or curiosity.
· Compiling a mailing list with the intent to sell or use for personal purposes or for profit.
·
Using or disclosing PHI to personally advance a cause of action.
10.7.6.4.3.2 Penalties
Federal penalties that might be
assessed for illegal use or disclosure of PHI include:
· The Department of Health and Human Services reserves the right to investigate complaints and conduct compliance reviews. The Secretary of Health and Human Services has delegated enforcement responsibilities to the Department’s Office of Civil Rights (OCR).
· Civil and criminal penalties may be imposed on a covered entity.
· Civil penalties consist of a fine of $100 for each violation up to $25,000 within one year. The healthcare component can claim an affirmative defense if it had no knowledge of the violation, had exercised due diligence in preventing violations, and would not have known despite its due diligence. The OCR may waive penalties if disclosures are made due to reasonable cause and not willful neglect.
·
Criminal penalties may consist of up to $50,000 and a year in
jail. If the disclosure was made under false pretenses, the violator may face a
fine of $100,000 and five years in jail. An individual improperly disclosing PHI
with the intent to sell, transfer, or use health information for commercial
advantage, personal gain, or malicious harm may face a $250,000 fine and 10
years in jail.
Penalties for violations of the Texas Medical Privacy Act
may include:
· The Attorney General may institute an action for injunctive relief and/or civil penalties, not to exceed $3,000 per violation.
·
If a court that finds that violations constitute a pattern or
practice, it can assess additional penalties, which should not exceed $250,000,
suspend or revoke applicable licenses, or excluded the covered entity from state
funded health care programs
10.7.6.4.4 Prohibition of
Retaliation
[45 CFR 164.530(g)]
All UNT workforce members are required to report any
suspected violation of federal or Texas laws or regulations, or provisions of
this policy. These reports should be made to their supervisor, the Privacy
Officer of their healthcare component, or the UNT HIPAA Compliance Officer.
All UNT workforce members shall be allowed freely to
discuss and raise questions to managers or to appropriate personnel about
situations that they feel are in violation of federal or Texas law or this
policy.
UNT shall not intimidate, threaten, coerce, discriminate
against, or retaliate against any patient, legally authorized representative,
workforce member, association, organization or group that in good faith:
· Discloses or expresses the intention to disclose suspected violations of federal or Texas laws or regulations, or of this policy.
· Provides information to or testifies against the alleged offender or UNT.
· Objects to or refuses to participate in activities that they believe might violate federal or Texas laws or regulations, or this policy.
· Participates in a compliance review, audit, or peer review of healthcare services.
·
Files a legitimate report, complaint, or incident report.
Workforce members who are alleged and found to have filed a
malicious complaint may be subject to disciplinary action.
The UNT HIPAA Compliance Officer will review any allegation of retaliation and will ensure that a proper investigation is conducted.
10.7.7 Confidentiality and
Communication
[45 CFR 164.508(a)]
10.7.7.1 Fax Transmittal of PHI
Each UNT healthcare component must develop procedures
and forms that adhere to the following standards relating to facsimile
communications of an individual’s medical records, and each workforce member
must follow the designated procedures:
· PHI may only be sent by fax when the original record or mail-delivered copies will not meet the needs for TPO.
· Information transmitted must be limited to the minimum necessary to meet the requester’s needs.
· Except as authorized by state or federal law, or as authorized by the individual’s consent, a properly completed and signed authorization must be obtained before releasing PHI.
·
The following types of medical information are protected by
federal and/or state statute and may not be faxed or photocopied without
specific written patient authorization, unless required by law:
o
Confidential details of:
§ Psychotherapy treatment by a psychiatrist or a licensed psychologist.
§ Other professional services of a licensed psychologist.
§ Social work counseling and therapy.
§ Domestic violence victims’ counseling.
§
Sexual assault counseling.
o HIV test results. An individual’s written authorization is required for each separate release request.
o Records relating to sexually transmitted disease.
o
Alcohol and drug abuse records protected by federal
confidentiality rules (cf. 42 CFR Part 2).
· A designated fax cover page must be used to send faxes containing PHI. All pages plus the cover page must be marked “CONFIDENTIAL” before being transmitted.
·
Workforce members must take reasonable precautions to send the PHI
to the correct location, using the correct phone number. If they are uncertain
of the fax number, they must first call the location and verify the fax number
with a person at the remote location.
10.7.7.1.1 Documentation of Successfully Transmitted
Faxes
The healthcare component sending a fax for TPO purposes may
wish to maintain a copy of the fax transmittal or fax confirmation sheet in the
individual’s record, but it is not required to do so.
The healthcare component sending a fax for non-TPO
purposes, based on an authorization of the individual or based on a request that
does not require the consent of the individual, must maintain a copy of the fax
transmittal sheet or, if available, the fax confirmation sheet in the
individual’s record. It must also enter the transmission into the healthcare
component’s disclosure accounting database.
10.7.7.1.2 Misdirected Faxes
If a fax is known to have arrived at an incorrect location,
the workforce member must obtain the incorrect number from the fax memory and
must attempt to contact a party by phone at the remote location to request that
the misdirected fax be destroyed in its entirety. If no one is available by
phone at the remote location, a form designated by the healthcare component must
be faxed to the incorrect number with a request that the misdirected fax be
destroyed in its entirety. The number to which the misdirected fax was sent must
be entered into the disclosure accounting database with a notation that the fax
was sent erroneously to that location.
10.7.7.1.3 Receipt of Faxes with PHI
Fax machines designated for receiving PHI must not be
located in areas accessible to the general public or to workforce members who do
not have authorization to access PHI. The director of the healthcare component,
in conjunction with workforce members responsible for security, shall designate
a secure location for fax machines.
Incoming fax documents
is confidential PHI and must be handled in compliance with this policy and with
the healthcare components procedures and practices.
If a fax is received in error, the receiving department
shall immediately notify the sending party, and then shall either destroy it in
its entirety or shall follow the directions of the sending party.
Electronic mail that is sent, received, or stored on
computers that are owned, leased, administered, or otherwise under the custody
and control of UNT is the property of UNT and subject to this policy. Email
transmission of PHI shall only be permitted after encryption has been
implemented in the UNT email system.
10.7.7.2.1 General
· Email containing PHI must be treated with the same degree of privacy and confidentiality as the patient’s medical record.
· UNT healthcare components shall make all email messages sent or received that concern the treatment of an individual part of the individual’s record.
· Emailing PHI with the UNT email system is permitted for TPO.
· UNT workforce members may not send or forward any PHI outside the UNT email network unless specifically authorized by the individual.
· When using email UNT workforce members must limit the information transmitted to the minimum necessary to meet the requestor’s needs (see Section 10.7.4) and must use de-identified PHI (see Section 10.7.8.4.1) whenever possible.
·
All external disclosures of PHI though email must comply with
Sections 10.7.5.3 and 10.7.5.4.3, which deal with authorizations and accounting
of disclosures.
10.7.7.2.2 Email Correspondence Between UNT Workforce Members and Patients or Clients
· Prior to using email to correspond with patients or clients, the individual must consent to the use of the email for transmitting confidential PHI and must indicate this in writing on their patient consent form and sign the form.
· UNT workforce members must make sure that the individual has given written consent to correspond through email before doing so.
· Email clients must permit encryption of the PHI transmitted.
· Email should not be used to replace a clinical visit. A health care provider must use due care in determining if email is appropriate for the individual’s treatment, based on the individual’s case history.
·
At the conclusion of a dialogue with an individual, all emails
regarded health care must be forwarded to the medical records custodian to
become part of the individual’s medical record.
10.7.7.2.3 Medical Records Including Email
Correspondence Between Physicians
Physicians may email other UNT physicians within the UNT
internal email system regarding patient matters.
If email contains PHI for treatment, the email must be
printed and forwarded to the medical records custodian to become part of the
individual’s medical record.
10.7.7.2.4 Accounting for Email Disclosures
When email is used for disclosing PHI, the release must be
documented in compliance with Section 10.7.5.4.3 of this policy.
10.7.7.3 Substance Abuse Confidentiality
The HIPAA Privacy Regulations consider Substance Abuse
Treatment Records to be a unique subset of PHI, which must be treated
differently from other types of PHI. A Substance Abuse Treatment Record shall be
confidential and be disclosed only for the purposes expressly authorized by the
individual who is the subject of the Substance Abuse Treatment Record.
The content of any Substance Abuse Treatment Record may be
used and disclosed in accordance with the prior written consent of the
individual for TPO. For any other use or disclosure of a Substance Abuse
Treatment Record, the UNT healthcare component or the record custodian must have
an authorization from the individual granting the healthcare component
permission to disclose the information prior to the release of any portion of
the Substance Abuse Treatment Record.
UNT may, however, disclose the
Substance Abuse Treatment Record without the individual’s authorization if:
· Medical personnel are required to treat the individual in an emergency situation and require the information for their treatment.
· Qualified personnel are conducting management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual receiving treatment in any report of such research, audit, or evaluation, or otherwise disclose individual identities in any manner.
· A person is authorized by an appropriate order of a court of competent jurisdiction to receive the information in the Substance Abuse Treatment Record.
·
UNT must report the information in the Substance Abuse Treatment
Record by law.
10.7.7.3.1 Criminal Proceedings
Except as authorized by court order, no Substance Abuse
Treatment Record may be used to initiate or substantiate any criminal charges
against an individual or to conduct any investigation of an individual.
10.7.7.3.2 Application
The prohibitions of this section continue to apply to
records concerning any individual who has ever been a patient receiving
Substance Abuse Treatment, irrespective of whether or when this individual
ceases to be a patient.
10.7.7.4 Maintenance of
PHI
10.7.7.4.1 Storage of PHI
UNT healthcare components have a duty to protect the
confidentiality and integrity of confidential medical information as required by
law, professional ethics, and accreditation requirements. All UNT workforce
members must strictly observe the following standards for storing PHI:
· Before regular working hours have ended, workforce members must clean desks and working areas so that PHI is properly secured, unless the immediate area can be secured from unauthorized access.
· When not in use, PHI must always be protected from unauthorized access. When left in an unattended room, such information must be appropriately secured.
· If PHI is stored on the hard disk drive or other internal components of a computer workstation, personal computer, or PDA (Personal Digital Assistant), it must be protected by either a password or encryption. Unless encrypted when not in use, computers and their storage units must be secured from unauthorized access.
· If PHI is stored on diskettes, CD-ROMs, ZIP disks, or any other type of removable data storage media, it cannot be commingled with other electronic information.
· If backup copies of PHI are moved to a location away from campus to ensure redundancy and integrity of data, the remote location must be secure and the person transporting the copies must have security clearance and documented training in the requirement of the Privacy Act.
· When PHI is being released through teleconference or video feed, UNT workforce members must treat the protection of the PHI in the same manner as PHI recorded on paper, thereby securing access to the teleconference or video to authorized personnel only. Support staff for the teleconference or video feed must have documented training regarding HIPAA compliance procedures if they will have contact with PHI during the teleconference or video feed.
·
PHI stored in medical equipment (EKG, etc.) must be kept secure
and disposed of in compliance with this policy.
Each healthcare
component shall develop the procedures and workforce training necessary to
ensure the integrity and confidentiality of stored PHI.
10.7.7.4.2 Printing and
Copying of PHI
· PHI in hardcopy format must be disposed of in accordance with this policy and with records retention schedules.
· Printed versions of PHI should not be copied indiscriminately or left unattended and open to compromise.
· Printers and copiers use for printing and copying PHI should be in a secure, non-public location. If the equipment is in a public location, the information being printed or copied is required to be strictly monitored.
· Defective copies or printouts of PHI must be secured and immediately disposed of, in compliance with this policy.
· Access controls must be enforced to ensure that workforce members who transport and dispose of PHI have appropriate security clearance and training; and
·
PHI printed to a shared printer shall be promptly removed from the
printer and secured.
10.7.7.4.3 Disposal of PHI
10.7.8.1.1 UNT as a Hybrid
Entity
[45 CFR 164.504(a)]
UNT consists of healthcare service components, other
services that support the business operations of the healthcare components, and
still other components that are not related to healthcare services. UNT has
elected to consider itself a hybrid entity. Healthcare components and those
components that provide business support to the healthcare components must
comply with all provisions of the privacy rule. The remaining components need
not comply with the requirements of the privacy rule.
Release of protected information from the covered service
or function to the non-covered service or function is considered a disclosure
under the privacy rule for which an authorization must be obtained. If a
University component, however, provides business-associate-like services to the
healthcare component, and if it is so designated, an authorization is not
needed, but the privacy rule applies.
The Texas Medical Privacy Act supplements the federal
requirements, and it considers a covered entity to be any entity or person that
uses, possesses, or obtains protected health information.
10.7.8.1.2 Identification of UNT’s Health Care
Components
[45 CFR 164.504(b)]
UNT’s HIPAA Compliance Officer and the UNT System Office
of the Vice Chancellor and General Counsel shall define the healthcare
components of the University and those entities that provide business associate
type support services by April 14, 2003. The remaining components will be
designated as non-covered components. The HIPAA Compliance Officer and the UNT
System Office of the Vice Chancellor and General Counsel will also review this
list annually, and will update it as needed.
10.7.8.1.3 UNT Safeguard Requirements for Health Care
Components
[45 CFR 164.504(c)]
Those covered by this policy must develop and implement
adequate protection between covered and non-covered functions or components.
This protection shall be implemented by means of firewalls, policies, and
procedures.
The healthcare component Privacy Officer must be consulted
and must approve the implementation of protection measures that affect the
operation of the healthcare component. Protection measures that are proposed and
that are implemented must also be filed with the HIPAA Compliance Officer for
review.
10.7.8.2 Business Associate Contracts and other
Arrangements
[45 CFR 164.504(e)]
A business associate is a person or entity, other than a
workforce member, that performs a function that involves PHI for a healthcare
component of UNT.
Each healthcare component must establish a business
associate agreement with each of their business associates no later than April
14, 2003, unless otherwise advised by the UNT System Office of the Vice
Chancellor and General Counsel. Notwithstanding
anything to the contrary, each healthcare component must establish a business
associate agreement with each of their business associates no later than April
14, 2004. The contract must meet
the legal standards of the UNT System and must be approved by the UNT System
Office of the Vice Chancellor and General Counsel before it is executed.
The business associate contract must establish the
permitted and required uses and disclosures of PHI by business associates. This
use or disclosure must comply with all the federal and Texas privacy laws and
regulations in the same way that the healthcare component must also comply.
At a minimum, the business
associate must contractually agree:
· Not to use or further disclose PHI other than as permitted or required by the contract or as required by law;
· To use appropriate safeguards to prevent use or disclosure of the information other than as provided by the contract;
· To report to the healthcare component any use or disclosure of the information not provided for by the contract of which it becomes aware;
· That agents and subcontractors of the business associate agree to the same restrictions and conditions that apply to the business associate in respect to PHI that the agent or subcontractor receives or creates on behalf of the business associate;
· To make PHI available in accordance with the requirements imposed on the healthcare component;
· To make PHI available for amendment and incorporate any amendments to PHI in accordance with the same requirements imposed on the healthcare component;
· To make available the information required to provide an accounting of disclosures in accordance with the same requirements imposed on the healthcare component; and
·
To provide the Secretary of Health and Human Services and the
Privacy Officer of the healthcare component with access to all internal
practices and records relating to PHI in order to determine whether the
healthcare component is in compliance
At the termination of the
contract, the business associate must agree:
· To return or destroy all PHI;
· Not to retain copies of the information; and
·
If the business associate cannot return or destroy the PHI, to
extend the protections of the contract to the information and to limit further
disclosures.
The healthcare component must determine and document that
the business associate has provided satisfactory assurances that it is able to
meet the requirements of the contract and to protect the privacy of PHI. The
contract must authorize termination of the contract if the business associate
violates a material term of the contract.
If the healthcare component becomes aware of a business
associate’s violation of the terms of the contract or of federal and Texas
laws and regulations, it must take reasonable steps to prevent or to mitigate
any improper use or disclosure of PHI. If reasonable steps to correct a business
associate’s contract violations are not successful in preventing or mitigating
improper use or disclosure of PHI, the healthcare component must:
· Terminate the contract, if feasible, or
· If termination is not feasible, report the problem to the Secretary of HHS, and
·
If appropriate, seek a protective order by referring the matter to
the UNT System Office of the Vice Chancellor and General Counsel
The business associate standard does not apply to
disclosures made to another healthcare provider concerning the treatment of an
individual patient, and it also does not apply to disclosures to health plans
for payment purposes.
As a general rule, members of the UNT workforce may not
disclose PHI, unless the individual to whom the PHI belongs has requested the
disclosure and has provided a valid authorization. This section presents the
cases in which PHI may be disclosed. Such disclosures are explicitly limited to
the following cases, and they must strictly comply with this policy and with the
limits and requirements of applicable laws.
Each
healthcare component of UNT shall develop the procedures and forms needed to
implement the requirements of the following sections.
10.7.8.3.1 Information
Required by Law
[45 CFR 164.512(a)]
Members of the workforce at UNT may use or disclose PHI if
this use or disclosure is required by law. The information used or disclosed
must be limited in scope to comply with and to meet only the requirements of the
law.
UNT workforce members must meet disclosure requirements
related to victims of abuse, neglect, or domestic violence; judicial and
administrative purposes; and law enforcement purposes.
10.7.8.3.2 Information
Required for Public Health Activities
[45 CFR 164.512(b)]
In cases where information is not required by law, a UNT
healthcare component may elect to release PHI without an individual’s
authorization to public health authorities who are legally authorized to receive
such reports for the purpose of preventing or controlling disease, injury, or
disability.
A public health authority is an agency of the United States
government (e. g., the Food and Drug Administration or Centers for Disease
Control), a State (e. g.., the Texas Department of Health), a territory, a
political subdivision of a State or territory, or Indian tribe that is
responsible for public health matters as part of its official mandate, as well
as a person or entity acting under a grant of authority from, or a contract
with, a public health agency. Under the direction of a public health authority,
a UNT healthcare component may also release PHI to a foreign government agency
that is acting in collaboration with the public health authority.
Examples of information that may be released under this
section include, but are not limited to:
In all cases, the disclosure must be limited to the minimum
necessary, or to the information specifically required by law. The UNT System
Office of Vice Chancellor and General Counsel shall make the final determination
which information may be disclosed under this section.
10.7.8.3.3 Information
About Victims of Abuse, Neglect, or Domestic Violence
[45 CFR 164.512(c)]
Members of the UNT workforce may disclose to a government
agency PHI about an individual whom the UNT System Office of the Vice Chancellor
and General Counsel has reasonably determined to be a victim of abuse, neglect,
or domestic violence, if this disclosure is authorized or required by law and
subject to the following conditions:
· The disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of the law;
· If the individual agrees to the disclosure; or
·
If the disclosure is expressly authorized by statute or regulation
and:
o The UNT System Office of the Vice Chancellor and General Counsel has made a reasoned determination that the disclosure is necessary to prevent serious harm to the individual or other potential victims, or
o
If the individual is unable to agree because of incapacity, a law
enforcement or other public official may authorize to receive the report if:
§ The PHI sought is not intended to be used against the individual; and
§
An immediate enforcement activity that depends on the disclosure
would be materially and adversely affected by waiting until the individual is
able to agree to the disclosure.
Government agencies include
social service or protective services agencies.
The Privacy Officer of the UNT
healthcare entity must promptly inform the individual that such a report has
been or will be made, unless:
· The UNT System Office of the Vice Chancellor and General Counsel has made a reasoned determination that informing the individual would place the individual at risk of serious harm, or
·
A surrogate decision maker would be the legally appropriate party
to inform, and the UNT Office of the Vice Chancellor and General Counsel has
made a reasoned determination that this surrogate decision maker is responsible
for the abuse, neglect, or other injury, and that informing this person would
not be in the best interests of the individual under medical care.
10.7.8.3.4 Information
Required for Health Oversight Activities
[45 CFR 164.512(d)]
Members of the UNT workforce may disclose PHI without an
authorization to a health oversight agency for oversight activities authorized
by law. These activities include:
· Audits
· Civil, administrative, or criminal investigations, proceedings, or actions
· Inspections
· Licensure or disciplinary actions
·
Other activities necessary for appropriate oversight of:
o The health care system
o Government benefit programs for which health information is relevant for beneficiary eligibility
o Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards, or
o
Entities subject to civil rights laws for which health information
is necessary for determining compliance
Disclosure is not permitted if the individual is the
subject of an investigation or activity and the investigation or activity is not
directly related to:
· The individual’s receipt of health care
· A claim for public benefits related to health, for example, food stamps, or
·
The individual’s qualification for or receipt of public benefits
or services when the individual’s health is integral to the claim for public
benefits or services.
If a health oversight activity or investigation is related
to a claim for public benefits that are not related to health, the joint
activity or investigation shall be considered a health oversight activity.
The UNT System Office of the Vice Chancellor and General
Counsel will have the final authority to determine the propriety of a disclosure
in cases that do not clearly meet the above criteria.
10.7.8.3.5 Disclosures by Whistleblowers and Workforce Victims of Crime
Members of the UNT workforce are encouraged to report
conduct that is unlawful or that violates professional or clinical standards to
the Office of Institutional Compliance. Disclosure of PHI to the Compliance
Office for the purpose of reporting unlawful conduct or a violation of
professional or clinical standards is always in compliance with this policy.
A member of the UNT workforce or a business associate may
also disclose PHI without violating this policy if the following conditions are
met:
· The workforce member or business associate believes in good faith that UNT or one of its health care components has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by UNT or its health care components potentially endangers one or more patients, workers, or the public, and
·
The disclosure is to:
o A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of UNT
o An appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct at UNT, or
o
An attorney retained by or on behalf of the workforce member or
business associate for the purpose of determining the legal options of the
workforce member or business associate with regard to conduct believed to be
unlawful or in violation of professional or clinical standards
A member of the UNT workforce
may also disclose PHI without violating this policy if:
· The workforce member is a victim of a criminal act; and
·
The disclosure is to a law enforcement official, provided that:
o The PHI disclosed is about the suspected perpetrator of the criminal act; and
o
The PHI disclosed is limited to the suspected perpetrator’s:
§ Name and address
§ Date and place of birth
§ Social security number
§ ABO blood type and rh factor
§ Type of injury
§ Date and time of treatment
§ Date and time of death, if applicable, and
§
Description of the individual’s distinguishing physical
characteristics, including height, weight, gender, race, hair and eye color,
presence or absence of facial hair, scars or tattoos
10.7.8.3.6 Information for
Judicial and Administrative Proceedings
[45 CFR 164.512(e)]
UNT may use or disclose PHI in the course of any judicial
or administrative proceeding if the following conditions are met:
· The disclosure is in response to an order of a court or administrative agency, but only the PHI expressly authorized by the order may be disclosed
·
The disclosure is in response to a subpoena, discovery request, or
other lawful process that is not accompanied by an order of a court or an
administrative agency (such as a subpoena from a government agency) provided
that:
o The UNT System Office of the Vice Chancellor and General Counsel receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure that the subject of the requested PHI has been given notice of the request, evidenced by an affidavit from the requesting party, or
o
The UNT System Office of the Vice Chancellor and General Counsel
receives satisfactory assurance from the party seeking the information that this
party has made reasonable efforts to secure a qualified protective order. A
qualified protective order is an order of a court or an administrative tribunal
or a stipulation by the parties to a litigation or administrative proceeding
that:
§ Prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested, and
§
Requires returning PHI to UNT or requires destroying the PHI and
all copies made at the end of the litigation or proceeding.
·
The UNT System Office of the Vice Chancellor and General Counsel
receives satisfactory assurances from a party seeking PHI along with a written
statement and accompanying documentation that:
o The party requesting such information has made a good faith attempt to provide written notice to the individual (or to mail a notice to the individual’s last know address)
o The notice included sufficient information about the litigation or proceeding in which the PHI is requested that would enable the individual to raise an objection to the court or administrative tribunal, and
o
The time for the individual to raise objections to the court or
administrative tribunal has elapsed, and
§ No objections were filed, or
§
All objections filed by the individual have been resolved by the
court or the administrative tribunal and the disclosures being sought are
consistent with such resolution.
● The UNT System Office of the Vice Chancellor and General Counsel receives satisfactory assurances from a party seeking PHI including a written statement and accompanying documentation demonstrating that:
o The parties to the dispute that gave rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute, or
o
The party seeking the PHI has requested a qualified protective
order from such court or administrative tribunal.
If the above conditions are not met, UNT has the option to
disclose PHI in response to lawful process without receiving full satisfactory
assurances, provided that UNT has made its own reasonable efforts:
· To provide notice to the individual sufficient to meet the requirements of this section, or
·
To seek a qualified protective order.
10.7.8.3.7 Information for
Law Enforcement Purposes
[45 CFR 164.512(f)]
This section deals with PHI that may be disclosed for law
enforcement purposes in which de-identified information is not sufficient for
law enforcement’s needs.
· For the purpose of complying with laws that require reporting certain kinds of wounds or other physical injuries, UNT may disclose PHI to appropriate law enforcement officials or agencies.
·
For the purpose of complying with a court order, warrant,
subpoena, summons, grand jury subpoena, administrative request or subpoena, a
civil or authorized investigative demand, or similar process authorized by law,
UNT may disclose PHI to authorized officials, provided that:
o The information requested is relevant and material to a legitimate law enforcement inquiry;
o The request is specific and limited in scope to the purpose for which the information is sought; and
o
De-identified information cannot reasonably be used.
·
For the purpose of identifying or locating a suspect, fugitive,
material witness, or missing person, UNT may release PHI in response to a
request by a law enforcement official, provided that the information is limited
to the following:
o Name and address
o Date and place of birth
o Social security number
o ABO blood type and rh factor
o Type of injury
o Date and time of treatment
o Date and time of death, if applicable, and
o
A description of distinguishing physical characteristics,
including height, weight, gender, race, hair and eye color, presence or absence
of facial hair, scars, and tattoos
PHI related to an individual’s DNA or DNA analysis, dental records, or typing, sample, or analysis of bodily fluids or tissues may NOT be disclosed in response to such a request for PHI by law enforcement official.
·
To provide information about an individual who is or is suspected
to be a victim of a crime, UNT may release PHI in response to a request by a law
enforcement official, provided:
o The individual agrees to the disclosure, or
o
UNT is unable to obtain the individual’s agreement because of
incapacity or other emergency circumstance, provided that:
· The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and that such information is not intended to be used against the victim;
· The law enforcement official represents that immediate law enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and
·
The disclosure is in the best interests of the individual as
determined by the UNT healthcare component and the UNT System Office of the Vice
Chancellor and General Counsel, in the exercise of their professional judgment.
· For the purpose of alerting law enforcement of the death of the individual, UNT may disclose PHI about a deceased individual to law enforcement officials, if UNT has a suspicion that such death may have resulted from criminal conduct.
· For the purpose of providing evidence of criminal conduct that occurred on UNT premises, UNT may disclose PHI that it believes in good faith constitutes evidence to law enforcement officials.
·
For the purpose of altering law enforcement of the commission of a
crime, UNT may disclose PHI to law enforcement officials if such disclosure is
deemed necessary to identify:
o The nature of a crime;
o The location of a crime or of the victim(s) of a crime; and
o
The identity, description, and location of the perpetrator of a
crime.
10.7.8.3.8 Information
about Decedents
[45 CFR 164.512(g)(h)]
UNT may disclose PHI about a deceased individual for the
following purposes:
· To coroners and medical examiners for the purposes of identifying a deceased person, determining a cause of death, or other duties as authorized by law;
· To funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the deceased. If necessary for the funeral directors to carry out their duties, UNT may disclose PHI prior to and in reasonable anticipation of the individual’s death; or
·
To organ procurement organizations or other entities engaged in
the procurement, banking, or transplantation of cadaver organs, eyes, or tissues
for the purpose of facilitating organ, eye, or tissue donation and
transplantation.
10.7.8.3.9. Research Use
of Health Information
[45 CFR 164.512(i)]
The use and disclosure of PHI in research must have
appropriate authorizations and safeguards in place. The UNT IRB review process
is responsible for determining which federal and Texas standards apply to the
use and disclosure of PHI for research. All researchers and their staff must
rigorously comply with the procedures of the IRB and of the Office of Research
Services in the use of PHI.
Faculty, staff, and students of UNT may not initiate
research involving human subjects without approval of the IRB before the
research starts. Please see UNT Policy 16.5 Human Subjects in Research, and its
associated procedures, for an explanation of the requirements of the IRB
approval process.
Whenever possible, de-identified PHI should be used for
research. When de-identified PHI is to be used for research, including public
health research, the standards listed in section 10.7.8.4.1 below must be
followed. In addition:
· PHI used for research should be de-identified at the point of data collection for research protocols approved by the IRB, unless the participant voluntarily and expressly consents to the use of his or her personally identifiable information or the researcher(s) obtain an IRB waiver of authorization.
·
If PHI is de-identified by means of encryption, anyone involved in
the research project must not disclose the encryption code and must not disclose
the mechanism used to re-identify the information.
10.7.8.3.10 Information
Needed to Avert Serious Threat to Health and Safety
[45 CFR 164.512(j)]
Consistent with applicable law and standards of ethical
conduct, UNT may disclose PHI, provided:
·
Either UNT, in good faith, believes that the use or disclosure:
o
Is necessary to prevent or lessen a serious or imminent threat to
the health or safety of a person or the public. Such use or disclosure is not
permitted if UNT learns the protected information:
§ In the course of treatment that is designed to alter or change the desire to commit the criminal conduct that would be the basis for making a disclosure, or
§
When an individual initiates or is referred to a healthcare
component of UNT for treatment, counseling, or therapy.
o
Is to a person or persons reasonable able to prevent or lessen the
threat, including the target of the threat.
o Because of a statement by an individual admitting participation in a violent crime that UNT reasonable believes may have caused serious physical harm to the victim, or
o
Where it appears from all the circumstances that the individual
has escaped from lawful custody
UNT may only release the statement relating to the serious
threat and the PHI related to the serious threat. The UNT System Office of the
Vice Chancellor and General Counsel will decide which information may reasonably
be released.
10.7.8.3.11 Information
Required by Specialized Government Agencies
[45 CFR 164.512(k)]
UNT may disclose PHI for
specialized government functions, provided that:
· The University Police verify the identity of the individuals representing the specialized government function; and
·
The UNT System Office of the Vice Chancellor and General Counsel
authorizes the release
The specialized government functions to which PHI may be
disclosed if necessary and legally appropriate include:
· Armed forces personnel, the Red Cross, or other authorized agents of the Armed Forces, if deemed necessary by appropriate military command authorities to assure the proper execution of a military mission. The appropriate military authority must have published a notice in the Federal Register specifying the appropriate military command authorities and the purposes for which the requested PHI may be used or disclosed.
· Authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities.
· Authorized federal officials for the provision of protecting the President or foreign heads of state.
· The Department of State, for the purpose of making medical suitability determinations.
· A correctional institution, if information about an individual is needed for the treatment of that individual, or for the health and safety of other inmates and of employees of a correctional institution, including those responsible for transporting the individual.
·
Government programs providing public health benefits and
government agencies administering such benefits.
10.7.8.3.12 Workers’
Compensation Disclosures
[45 CFR 164.512(l)]
Pursuant to Texas Labor Code §402.084 (from the Texas
Workers’ Compensation Act) and rules of the State Office of Risk Management,
the individual is required to sign an authorization to release medical
information relating to a workers’ compensation claim to the State Office of
Risk Management. This information may be released to that agency, as well as to
the individual, the individual’s representative, and the employer at the time
of the individual’s injury. Consequently, authorized personnel of UNT may
access medical information related to a workers’ compensation claim once the
individual has signed this authorization.
An individual’s consent or authorization is not required,
however, by the HIPAA Privacy Rules for UNT to respond as an employer to legally
valid requests for an individual’s PHI that is directly related to a
Workers’ Compensation claim. However, only the minimum necessary
information will be released in response to the request, unless the requestor
can give good cause to UNT that additional information must be released.
10.7.8.3.13 Use and
Disclosure to Family and Friends—Individual Care and Notification
[45 CFR 164.510(b)]
UNT healthcare components may disclose certain PHI to an
individual’s family member, other relative, a close personal friend of the
individual, or any other person identified by the individual, provided that PHI
is directly relevant to that person’s involvement with the individual’s care
or payment related to the individual’s treatment and health care. UNT
healthcare components may use or disclose PHI to notify or assist in the
notification of a family member, a personal representative of the individual, or
another person responsible for the care of the individual when this information
is related to the individual’s location, general condition, or death. UNT may
also use and disclose PHI for the purpose of identifying or locating family,
close personal friends, or personal representatives.
If the individual is present or otherwise available and if
the individual has the capacity to make health care decisions, the UNT
healthcare component may use or disclose the PHI if it:
· Obtains the individual’s verbal or written agreement to do so, and
· Provides the individual with the opportunity to object to the disclosure, and the individual does not object, or
·
Reasonably infers from the circumstance, based on the exercise of
professional judgment, that the individual does not object to the disclosure.
The workforce member attending the individual shall note in
the individual’s chart or record whether or not the individual was able to
consent, whether or not consent was given, and what if any limitations on
disclosure the individual requested.
If the individual is not present or if because of the individual’s incapacity or because of emergency circumstances the individual does not have the capacity or opportunity to agree or to object, the UNT healthcare component may, in its exercise of professional judgment, determine whether the disclosure is in the best interest of the individual. If so, it shall disclose only the PHI that is directly relevant to the person’s involvement with the individual’s health care. UNT healthcare components may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X rays and other diagnostic media, and similar forms of PHI.
10.7.8.3.14 Use and
Disclosures for Marketing
[45 CFR 164.514(e)]
UNT workforce members may not use, disclose, sell, or
coerce an individual to consent to the disclosure, use, or sale of PHI for
marketing purposes. The individual, however, may freely consent or authorize
such disclosure, using the appropriate forms and procedures.
The following scenarios are not a violation of this policy.
A workforce member may:
· Provide information on health-related products and services in a face-to-face encounter with a patient or client.
· Provide a patient or client with common healthcare communications, such as appointment reminders, prescription refill reminders, and information on disease management and wellness programs.
· Provide the patient or client with information on participating providers or plans in a network or with alternative treatment options.
· Provide the patient or client with sample products.
·
Provide promotional gifts that include marketing communications,
provided these are of nominal value (pens, calendars, etc.).
No written marketing
communication may be sent to an individual without an authorization from the
individual.
10.7.8.3.15 Disclosures
for Underwriting
[45 CFR 164.514(g)]
A UNT healthcare component may disclose PHI to a health
plan for the purpose of underwriting, premium rating, or other activities
related to the creation, renewal, or replacement of a contract for health
insurance or other health benefits. However, if the health plan is not awarded a
contract for health insurance or other health benefits, the health plan may not
use or disclose this protected health information for any other purpose, except
as required by law.
10.7.8.3.16 Verification
Requirements
[45 CFR 164.514(h)]
With the exception of PHI used for notification of an
individual’s family (10.7.8.3.13), a healthcare component that is releasing
PHI must verify the identity of the party requesting it before the PHI is
disclosed, and it must verify the authority of the individual to request the
PHI. If a person requests PHI, and if this policy permits the release, the
healthcare component must also require that the requesting party produce any
documents or other representations that are required by the law or this policy.
If the documents are in good form, and are properly signed and contain the
correct content, the healthcare component can rely on their validity.
The healthcare component may rely on the identify of a
government or public health official who presents proper identification, and may
rely on the validity of a written request that is properly submitted on the
letterhead of a government agency or public health authority.
The healthcare component may rely on the authority of a
government or public health official or agency to request PHI provided that the
person or agency produces a statement identifying their legal authority. This
might take the form of a warrant,
subpoena, order, or other legal process issued by a grand jury or a judicial or
administrative tribunal, all of which may be assumed to represent proper legal
authority.
The
healthcare component must also exercise sound professional judgment in making
disclosures to family of an individual, and it must make a good faith effort to
verify the identity and authority of all other parties or agencies requesting
PHI.
10.7.8.4.1
De-identification of Protected Health Information
[45 CFR 164.502(d),
164.514(a)(b)]
PHI is rendered anonymous whenever its identifying
characteristics are completely removed. PHI must be de-identified prior to
disclosure to non-authorized users. De-identified PHI should be used for any
permitted purpose whenever this is possible and feasible.
All personnel must strictly observe the following standards
for de-identification of PHI:
·
To de-identify PHI, the following identifiers of the patient must
be removed:
o Name
o
Street address, city, county, and zip code. Exceptions are:
§ States
§
City and/or county, if they include multiple zip codes and more
than 20,000 people live in an area in which combined zip codes have the same
first three digits
o Names of relatives and employers
o All elements of dates, except the year
o Telephone number
o Fax number
o Email address
o Social security number
o UNT identification number or medical record number
o Health beneficiary plan number
o Account numbers
o Certificate or license number
o Vehicle identifiers, including license plate numbers
o Device ID and serial number
o Uniform Resource Locator (URL)
o Identifier Protocol (IP) addresses
o Biometric identifiers
o Full face photographic images and other comparable images
o
Any other unique identifying number, characteristic, or code
· Whenever possible, de-identified PHI should be used for routine reporting and for quality assurance monitoring or audits.
·
An authorized user who wishes to encrypt PHI to de-identify it
must ensure that the encryption code is not based on information about the
individual whose information is being de-identified, and that the code cannot be
translated so as to identify the individual.
10.7.8.4.2 Re-identification of Protected Health
Information
[45 CFR 164.502(c)]
A healthcare component may assign a
code or other means of record identification to allow information de-identified
to be re-identified by the covered entity, provided that the code or other means
of record identification is not derived from or related to information about the
individual and is not otherwise capable of being translated so as to identify
the individual; and the healthcare
component does not use or disclose the code or other means of record
identification for any other purpose, and does not disclose the mechanism for
re-identification.
Texas Health and Safety Code, Chapter 181, requires the individual’s
consent to apply a re-identification code to the individual’s de-identified
PHI.
10.7.8.4.3 Uses and Disclosures of PHI by and for
Personal Representatives, Minors, and Deceased Individuals
A personal representative is any adult who has the
capacity to make decisions and who is willing to act on behalf of a patient or
client. A personal representative would include an individual who has authority,
by law or by agreement from the individual receiving treatment, to act in place
of the individual. This includes parents, legal guardians, or properly appointed
agents (those with Durable Power of Attorney for healthcare), or individuals
designated by state law.
A minor is an individual under the age of 18 who has
not been legally emancipated by a court, and who also is:
· Not married or previously married
· Not serving in the armed forces
· Not an offender in a correctional facility
·
Not at least 16 years of age and also who is living away from home
and providing his or her own financial support
As a general rule, minors, incapacitated, and deceased
individuals must have a personal representative in order to provide consent or
authorization to use and disclose the individual’s PHI. UNT must recognize a
personal representative who is properly designated as the individual responsible
for providing consents and authorizations for any other use or disclosure of
PHI. However, UNT need not recognize a personal representative as the individual
if the personal representative is suspected of abusing, neglecting, or
endangering the individual.
10.7.8.4.4 Adults and Emancipated Minors
If a person has authority by law to act on behalf of an
individual who is an adult or an emancipated minor in making decisions related
to the use and disclosure of PHI, UNT will treat this person as a personal
representative of the individual. Once a minor is emancipated, a parent or
guardian may no longer be recognized as a personal representative.
Unless a legal document such as a Durable Power of Attorney
exists to designate a personal representative, UNT will treat the following
persons, in priority order, as having the right to act as the individual for
consent and authorization to release PHI:
· The individual’s spouse
· An adult child of the individual who has the agreement and consent of all other qualified adult children of the individual to act as the sole decision-maker
· A majority of the individual’s reasonably available adult children
· The individual’s parent(s), or
·
The person clearly identified to act for the individual before the
individual’s incapacity or death, the individual’s nearest living relative,
the individual’s specified emergency contact, or a member of the clergy
10.7.8.4.5 Un-emancipated Minors
UNT must recognize as a personal representative a parent,
guardian, or other person has authority by law to act on behalf of an individual
who is an un-emancipated minor in making decisions related to use and disclosure
of PHI.
If a minor does not require the consent of an adult and may
consent to treatment, UNT will treat the minor as an individual who may provide
consent or authorization for the release of PHI.
A minor, with authority by law, can act as an individual in
cases that include but are not limited to the following:
· Diagnosis and treatment of a sexually transmitted disease
· Some outpatient surgeries
· Alcohol and drug abuse treatment
· Family planning services
·
Abortion
10.7.8.4.6 Abuse, Neglect, and Endangerment
Unless a state law requires otherwise, UNT need not
recognize a person as the personal representative of an individual if UNT
reasonably determines that it is not in the best interest of the individual to
do so, and also if it reasonably determines or believes that one of the
following conditions exist:
· The individual has been or may be subjected to domestic violence, abuse, or neglect by a parent, guardian, or personal representative.
· Treating the person as a personal representative could endanger the individual.
10.7.8.4.7 Deceased Individuals
PHI generated during the life of an individual is protected
from disclosure after death unless disclosure is for treatment, payment, or
health care operations. UNT and its workforce members cannot release PHI
regarding a deceased individual unless a valid personal representative has been
established and the personal representative has requested the PHI through the
proper authorization process.
If an executor, administrator, or other person has
authority under applicable law to act on behalf of a deceased individual or the
individual’s estate. UNT must recognize this person as a personal
representative. If an executor, administrator, or other court-appointed
representative for the deceased individual’s estate doe not exist, UNT will
recognize the following individuals as authorized to request the release of PHI.
The UNT System Office of the Vice Chancellor and General Counsel shall determine
the appropriate person that UNT may recognize as personal representative in
doubtful cases.
In the case of a deceased, married individual survived by a
spouse with or without descendants:
· Spouse
· Adult children
· Adult grandchildren
· Parents
· Adult descendants of parents (brother and sisters)
· Brothers’ and sisters’ adult children
· Brothers’ and sisters’ adult grandchildren
· Grandparents
·
Adult descendants of grandparents (uncles and aunts)
In the case of a deceased individual with no spouse (i.e.,
never married, widowed, or divorced and not remarried), with or without
descendants:
· Adult children
· Adult grandchildren
· Parents
· Adult descendants of parents (brothers and sisters)
· Brothers’ and sisters’ adult children
· Brothers’ and sisters’ adult grandchildren
· Grandparents
·
Adult descendants of grandparents (uncles and aunts)