Policy Manual
University of North Texas

Classification
Number: 10.7

Date Issued:04/21/03

SUBJECT: PROTECTED HEALTH INFORMATION PRIVACY POLICY

APPLICABILITY: ALL UNIVERSITY OF NORTH TEXAS FACULTY, STAFF, STUDENTS, HEALTHCARE VOLUNTEERS, AND BUSINESS ASSOCIATES OR AGENTS WHO ARE GRANTED ACCESS TO PROTECTED HEALTH INFORMATION.

10.7.1 Topics the Policy Covers
[45 CFR 164.502(a)-(j)]

This policy is the guidance and regulation component of Department of Health and Human Services requirements that the University of North Texas (UNT) communicate clear and specific compliance standards and procedures to applicable parties regarding the prohibited and required uses and disclosure of Protected Health Information (PHI). The policy provides standards and regulations for:

Notice of privacy practices
Permitted uses and disclosures of PHI

Consent, and what makes a consent valid or defective

Verification requirements
When the “minimum necessary” standard applies to uses and disclosures
Patient rights

Access to their own PHI
Use and disclosure of Psychotherapy notes
Authorizations
Uses and disclosures of PHI consistent with notice
Resolving conflicting consents and authorizations
To restrict the use and disclosure of their own PHI
To amend their own PHI
To receive an accounting of disclosures of their PHI
To receive treatment without waiving their rights to complain

Treating a personal representative as the individual whose health information is protected, in the cases of

Adults and emancipated minors
Un-emancipated minors
Deceased individuals, and
Individuals subjected to abuse, neglect, or endangerment

Creating de-identified information from PHI and regulations for use and disclosure of de-identified PHI for research or other legitimate purposes
Confidential communications

Fax communication
Email communication
Confidentiality of substance abuse records
Storage of PHI
Printing and Copying PHI
Disposal of PHI

Disclosures to business associates and standards for business associate contracts
Use and disclosure of PHI that do not require consent

For marketing
For underwriting
For involvement in an individual's care and for notification purposes
Required by law
For public health activities
For health oversight activities
For judicial and administrative proceedings
For law enforcement purposes
For research purposes
To avoid a serious threat to health and safety
For specialized government functions
For workers' compensation
Of deceased individuals
Disclosures by whistleblowers and workforce member crime victims

Designation of Privacy Officer and Contact Person
Training of workforce members
Safeguards
Complaint process
Sanctions for improper use or disclosure
Mitigation of effects of improper use or disclosure
Prohibition of intimidating and retaliatory acts
Changing policies whenever required
Retaining documentation

This policy is one component of the requirements of 45 CFR 164.530 that UNT have a policy that is consistent in scope with its covered healthcare activities. Each healthcare component of UNT must also elaborate on any sections of this policy that its mission and scope requires. Policy additions made by healthcare components may be more restrictive than the requirements of this policy, but they cannot be less restrictive. Each healthcare component must also create procedures and forms that comply with this policy, federal, and Texas laws and regulations, and that are consistent with its mission and its operations. It must also train its workforce in the use of its procedures and forms.

10.7.1.1 Definitions

Throughout this policy:

The term “individual” refers to a patient or a client of the healthcare provider
The term “workforce member” refers to a member of the faculty, staff, or student body who is an employee of the University of North Texas or who is a volunteer or intern performing duties in a healthcare component of UNT, and who is supervised by a member of the healthcare component's administrative structure.

10.7.2 Patient Notice of Health Information Practices

[45 CFR 164.520]

An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by healthcare components of UNT, and of the individual's rights and UNT's responsibilities with respect to PHI. UNT healthcare components are required to provide a Notice of Privacy Practices (NPP) to all individuals, as well as to other individuals requesting a copy. Those persons who register individuals will be responsible for distributing a copy of the NPP to all individuals.

10.7.2.1 General Requirements

UNT healthcare components must:

Develop the required NPP, forms, procedures, and workforce training related to this section;
Provide the notice no later than the date of the first service delivery, including service delivered electronically to an individual and, if possible, determine if a language barrier exists;
Make a good faith effort to obtain an initial written acknowledgement of the receipt of NPP from the individual and document the receipt of the NPP, using an appropriate acknowledgement form and filing system;
Have the NPP available at the service delivery site for individuals to take with them;
Post the NPP in a clear and prominent location where it is reasonable to expect individuals seeking service from the UNT healthcare component to be able to read the NPP; and
Whenever the NPP is revised, provide the new NPP to all patients or clients on their next visit on or after the effective date of the revision.

If an individual is treated on an emergency basis, the UNT healthcare component may delay providing the NPP and receiving an acknowledgement until a practical time.

10.7.2.2 Notice

The NPP must be written in plain language and must contain the following elements:

Header . “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.” This header must be at the top of the notice, in capital letters, or otherwise in a prominent location on the notice.

Consent . Texas law requires that individuals provide their consent to receive treatment from a healthcare organization. The NPP shall provide the individual the opportunity to acknowledge this consent in writing,
Uses and disclosures . The NPP must contain:

A description of the types of uses and disclosures that the UNT healthcare component is permitted to make, including at least one example for each of the following purposes: Treatment, Payment, and health care Operations (TPO);
A description of each of the purposes for which the UNT is permitted or required to use or disclose PHI without the individual's written authorization;
A statement that other uses and disclosures will be made only with the individual's written authorization, and that the individual may revoke such authorization, using the appropriate forms;
A statement that the UNT component may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual; and

Individual rights . The NPP must contain a statement of the individual's rights with respect to PHI and a brief description of the procedures that the individual would use to exercise these rights:

The right to request restrictions on certain uses and disclosures of PHI;
The right to receive confidential communications of PHI;
The right of the individual to inspect and obtain a copy of the individual's own PHI;
The right to request an amendment to PHI;
The right to receive an accounting of disclosures of PHI; and
The right of an individual, including an individual who has agreed to receive the NPP electronically, to obtain a paper copy of the NPP on request.

Healthcare component's duties . The NPP must contain a statement that the UNT healthcare component:

Is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI;
Is required to abide by the terms of the NPP currently in effect; and
Reserves the right to change the terms of its NPP and to make the new provisions effective for all PHI that it maintains. The statement must also describe how it will provide individuals with a revised NPP.
Cannot delete anything from the record although amendments can be considered.

Complaints . The NPP must contain a statement that individuals may complain to the UNT healthcare component, and to the Department of Health and Human Services, if they believe that their privacy rights have been violated, a brief description of how the individual may file a complaint with the UNT healthcare component, and a statement that the individual will not be retaliated against for filing a complaint.
Contact . The NPP must contain the name, or title, and telephone number of a person or office to contact for further information.

Effective date . The NPP must contain the date on which the NPP is first in effect, which may not be earlier than the date on which the NPP is printed or otherwise published.

10.7.2.3 Electronic Notice

If a UNT healthcare component develops an electronic NPP, it must post a current copy on its web site.
If electronic mail is used to send a copy of the NPP to an individual, the electronic mail communication must comply with Section 10.7.7.2 of this policy. If the UNT healthcare component becomes aware that the email transmission was not successful, it must provide a paper copy of the NPP to the individual.
Electronic notice by the UNT healthcare component satisfies the notice requirement if receipt of the NPP is documented and retained by the healthcare component.
The individual who is the recipient of en electronic notice retains the right to obtain a paper copy of the NPP from the UNT healthcare component on request.

10.7.2.4 Documentation of Notice

The UNT healthcare component must document compliance with the notice requirements by retaining copies of the NPP's they have issued. Those persons who register patients or clients shall be responsible for distributing the NPP to all patients or clients, documenting receipt of the acknowledgment form in an appropriate filing system, and retaining the original signed form in the patient's or client's file or record. If the individual refused to sign the acknowledgement form or if it was otherwise impossible to receive an acknowledgement from the individual, the healthcare component must document on the acknowledgement form the reason why written acknowledgement could not be received.

10.7.2.5 Revisions to the Notice

The UNT healthcare component must promptly revise and make available its NPP whenever there is a material change to its uses or disclosures, an individual's rights, UNT's legal duties, or other privacy practices that are stated in the NPP. Except when required by law, a material change to a term of the NPP may not be implemented prior to the effective date of the NPP in which such material change is reflected.

10.7.3 Uses and Disclosures of PHI

UNT workforce members may use and disclose PHI for TPO only if the patient has signed and executed a Consent for Treatment, which includes a Use and Disclosure of PHI form that grants UNT or the UNT healthcare component and its workforce members the right to use and disclose PHI to carry out TPO. However, this consent only allows UNT or the healthcare component to use and disclose the “Minimum Necessary” amount of information required to complete the desired task. In compliance with Texas Health and Safety Code, Chapter 181, each UNT healthcare component shall develop the necessary Consent acknowledgement form and ensure that individuals receive it when they receive the NPP.

10.7.3.1 Definitions

“Use” with respect to individually identifiable health information : The sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

10.7.3.2 Disclosure : The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

10.7.3.3 Treatment : The provision, coordination, or management of health care related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or for the referral of a patient for health care from one health care provider to another.

10.7.3.4 Payment : Any activities undertaken either by a health plan or by a health care provider to obtain premiums determine or fulfill its responsibility for coverage and the provision of benefits or to obtain or provide reimbursement for the provision of health care. These activities include but are not limited to:

Determining eligibility, and adjudication or subrogation of health benefit claims;
Risk adjusting amounts due based on enrollee health status and demographic characteristics;
Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care processing;
Review of healthcare services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
Utilization review activities, including pre-certification and preauthorization services, concurrent and retrospective review of services; and
Disclosure to consumer reporting agencies of certain PHI relating to collection of premiums or reimbursement.

10.7.3.5 Health care operations : Any one of the following activities to the extent the activities are related to providing health care:

Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting patients with information about treatment alternatives, and related functions that do not involve treatment;
Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care;
Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
Business planning and development, such as conducting cost management and planning related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or covered policies, and;
Business management and general administrative activities:

Management activities related to HIPAA compliance;
Customer Service;
Resolution of internal grievances;
Due Diligence; and
Activities designed to de-identify health information and fundraising activities for the benefit of the institution.

10.7.3.6 Minimum Necessary : When using or disclosing PHI or when requesting PHI from another health care provider or health organization, UNT must limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Minimum Necessary does not apply in the following circumstances:

Disclosures by a health care provider for treatment (students and trainees are included as health care providers for this purpose);
Uses and disclosures based upon a valid consent to use and disclose PHI for treatment, payment and health care operations or a valid authorization to use and disclose PHI;
Disclosures made to the Secretary of Health and Human Services;
Uses and disclosures required by law; and
Uses and disclosures required by other sections of the HIPAA privacy regulations. For a more detailed explanation of Minimum Necessary, see Section 10.7.4.

10.7.3.7 Indirect Treatment Relationship : A relationship between an individual and a health care provider in which:

The health care provider delivers health care to the individual based on the orders of another health care provider; and
The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services, products or reports to the individual.

10.7.3.8 Surrogate decision makers, Minors, and Deceased Individuals : For information regarding proper uses and disclosures for Surrogate decision makers, Minors, and Deceased Individuals, see Section 10.7.8.4.3.

10.7.3.9 Consents

Unless there is an emergency, UNT healthcare components should not treat a patient if an individual has not signed and executed the proper HIPAA consent form. UNT workforce members may use and disclose PHI for TPO without obtaining the consent of the individual only in the following instances:

When an indirect treatment relationship exists;
When an emergency situation exists;
When treatment is required by law; or
When substantial barriers in communication exist and the patient's consent is clearly inferred from the circumstances.

If failure to obtain consent occurs, the reasons for the failure to obtain consent must be documented on the consent form.

It should be clearly understood the Consent for the Use and Disclosure of PHI does not allow UNT or its workforce members to use or disclose PHI for any reasons other than for TPO. For UNT to use and disclose PHI for purposes other than for TPO, the individual must sign an authorization (see Section 10.7.5.3).

Psychotherapy notes are not to be included as PHI that may be disclosed, unless consent is sought for each such use or disclosure. For information regarding proper uses and disclosures for Psychotherapy notes, see Section 10.7.5.3.1.2.

Consents to use and disclose PHI for TPO must have the following elements for the consent to be effective:

Inform the patient or surrogate decision maker that PHI may be used and disclosed to carry out TPO;
Refer the patient or surrogate decision maker to the NPP for a more complete description of such uses and disclosures and state that the patient or surrogate decision maker has the right to review the NPP prior to signing the consent;
State the patient or surrogate decision maker may request a restriction be placed on the consent (see Section 10.7.5.4.1); and
The consent must be signed by the patient or surrogate decision maker and dated. UNT healthcare components reserve the right to change their privacy practices described in their NPP. If a UNT healthcare component changes the terms of its NPP, it will describe how the patient or surrogate decision maker may obtain a revised NPP.

10.7.3.9.1 Defective consents : Lack an element required in the consent or become defective if the consent has been revoked

10.7.4 Minimum Necessary Use and Disclosure

[45 CFR 164.502(b), 164.514(d)]

For purposes other than those listed below, the use and disclosure of PHI must be limited to the minimum necessary to satisfy the request or to complete the task. However, if the use or disclosure is for treatment purposes, no limitation to the use and disclosure shall apply. Each UNT healthcare component shall develop the necessary procedures and training to implement the requirements of this section.

The minimum necessary provisions SHALL NOT APPLY to the use and disclosure of PHI:

For treatment purposes;
For information requested by the individual to whom it belongs;
For information requested pursuant to a valid authorization by the individual;
For compliance with standardized Health Insurance Portability and Accountability Act (HIPAA) transactions;
For required disclosures to the Department of Health and Human Services for enforcement purposes; or
For instances required by law

10.7.4.1 Limitations on Use and Disclosure

All persons who handle PHI in any manner are expected to know and to abide by the following:

Determining workforce access to PHI . Access to PHI shall be granted to persons based on their role, as determined by their supervisor, manager, and department head. The UNT healthcare component shall identify:

Those persons or classes of persons in the UNT workforce, including students, trainees, and volunteers, who need access to PHI to carry out their duties, and
For each such person or class of persons, the category or categories of PHI to which access is needed and any conditions appropriate to such access.

Requests for Uses or Disclosures of PHI . Except in emergency situations, any person requesting PHI from the medical record custodian must include the requestor's name, unique identifier, and the amount of information requested.
Audits . The UNT healthcare component Privacy Officer shall be responsible for facilitating random checks to ensure that the minimum necessary standard is being applied when using and disclosing PHI.
Requests for uses and disclosures of entire medical records . Medical record custodians must not release the entire medical record to other UNT departments or business associates unless necessary.
Good faith judgment. The medical record custodian may rely on the belief that the PHI requested is the minimum amount necessary to accomplish the purpose of the request when:

The information is requested by a person previously approved for access;
The information is requested by a professional providing professional services either as an employee or as a business associate (such as the UNT System Office of the Vice Chancellor and General Counsel);
Making disclosure to entities or agencies associate with health related purposes that do not require consent, authorization, or opportunity to agree or object and also that the requesting official states that the information is the minimum necessary or is required by law;
IRB or privacy board documentation represents that proposed research meets the minimum necessary standard;
A requester asserts that the information is necessary to prepare a research protocol; or
A requester asserts the information is for research on decedents.

10.7.4.2 Disclosures for Payment

Only the minimum necessary PHI shall be disclosed for payment functions, as provided by contractual agreements. Persons handling PHI for payment shall not discuss or disclose information about an individual's diagnosis or treatment. This policy shall apply to checks collected, credit card paper receipts, envelopes and invoices sent to patients or clients.

10.7.4.3 Disclosures Required by Law

PHI about a victim of crime or abuse: UNT may only release the minimum necessary amount of information to law enforcement officials, unless the law requires certain other information to be released, in which case UNT must comply with relevant statutes, laws, regulations, and subpoenas.

In response to an order of a court or an administrative tribunal, UNT must release all information, but only that information, required by the order. The minimum necessary standard does not apply.

10.7.4.4 Disclosures for Worker's Compensation

PHI may be disclosed to comply with Worker's Compensation laws and regulations without the consent, authorization, or opportunity to object by an individual. Such disclosure will be only the minimum necessary information. The records' custodian and the UNT System Office of the Vice Chancellor and General Counsel must carefully review and approve requests for entire records.

10.7.4.5 Disclosures to Family and Friends

Such disclosures must comply with Section 10.7.8.3.13 of this policy.

10.7.4.6 Minimum Necessary Use and Disclosure for Student Workers, Trainees, and Volunteers

Students, trainees, and volunteers are to adhere to the minimum necessary standard. They shall have access to records only to the degree that their duties require this access, and their supervisor shall train them in the privacy regulations of the UNT healthcare component in which they provide services. Individual healthcare components may implement a more restrictive policy with respect to student access to records.

10.7.4.7 Minimum Necessary Use and Disclosure for Educational Purposes

Faculty, staff, students, and trainees are to use de-identified information when in a classroom setting. A patient's identifying information is not needed for educational purposes.

10.7.5 Patient Access Rights

10.7.5.1 Relationship Between HIPAA and FERPA

FR, December 28, 2000 , p. 82483

The HIPAA Privacy Regulations safeguards “protected health information,” whereas the Family Educational Rights and Privacy Act (FERPA) deals with the privacy of “education records.” The U.S. Department of Health and Human Services specifically exempted from its definition of “protected health information” FERPA's education records.

FERPA defines education records as those records that contain information directly related to a student that are maintained by an education agency, institution or a person acting for the agency or institution. FERPA education records do not include records of students who are 18 years or older, or are attending post-secondary educational institutions, that are:

Created or maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity;
Created, maintained, or used only in connection with the provision of treatment to the student; and
Not available to anyone, except a physician or appropriate professional reviewing the record as designated by the student.

Any use or disclosure of the above medical records for other purposes, including providing access to the individual student who is the subject of the information, turns the record into an educational record protected by FERPA. However, a student may access his or her medical records by making a request under the Texas Public Information Act. To avoid the need to apply two different standards to student records, HIPAA excludes from its definition of “protected health information” the student medical records that an educational institution obtains, whether or not they qualify as education records.

This policy recognizes that both HIPAA and FERPA require authorization from an individual to disclose their protected health information. In some circumstances, FERPA requirements may be more stringent than HIPAA requirements. To facilitate the operation of all UNT healthcare components, all discussions of consents and authorizations in this policy apply to both HIPAA and FERPA records. The healthcare component shall develop only one set of forms and procedures to comply with both sets of federal regulations. The healthcare component Privacy Officer shall be responsible for overseeing the processing of authorizations and requests for PHI, regardless of which set of regulations applies. However, the Privacy Officer will ensure that the permissions needed to approve a HIPAA or FERPA request will be obtained from the proper authority. The UNT System Office of the Vice Chancellor and General Counsel shall have the authority to approve all FERPA requests, and is designated as the final authority for many types of HIPAA requests.

There will be instances in which student records will be converted from HIPAA records to FERPA records. For example, students with disabilities requesting accommodations are often asked to produce a physician's certification of disability before the institution makes the requested accommodation. The information disclosed by the non-institution-affiliated physician ceases to be protected health information under HIPAA once the information is shared, at the student's request, with the institution. UNT must accept this information and protect it as it would receive and protect any other HIPAA PHI. However, now that the student has made the medical information available to the institution, it falls under the protections of FERPA and may not be further released without the student's permission.

Under no circumstances may student medical or student educational records be disclosed to the Department of Health and Human Services as a part of an HHS audit or investigation of any UNT healthcare component.

10.7.5.2 Access and Denial of Patient Request for PHI

[45 CFR 164.524]

The Privacy Officer of the healthcare component that retains the individual's records shall be responsible for processing or denying requests by an individual to that individual's own PHI.

Individuals have a right to inspect and receive a copy, at their own expense, of the PHI that is in their designated record, except for the following:

Psychotherapy notes, which are discussed in Section 10.7.5.3.1.2, below. Individuals are entitled to request and receive a summary of psychotherapy notes;
Information compiled in anticipation of use in a civil, criminal, or administrative action or proceeding;
PHI subject to the Clinical Laboratory Improvements Amendments of 1988 (CLIA);
Employee Assistance Program (EAP) records, which are not part of the individual's record but which may be requested separately; and
PHI exempt from CLIA, pursuant to 42 CFR 493.3(a)(2), which is PHI generated by:

Facilities or facility components that perform forensic testing;
Research laboratories that test human specimens but that do not report patient-specific results for diagnosis, prevention, treatment, or assessment of the health of patients; and
Laboratories certified by the National Institutes on Drug Abuse (NIDA) in which drug testing is performed that meets NIDA guidelines and regulations. However, other testing conducted by a NIDA-certified laboratory is not exempt.

Each UNT healthcare component shall develop the procedures, forms and workforce training to enable individuals to request access to and copies of their own PHI. The procedures developed must comply with the following:

Individuals have the right to request access to their own PHI as long as the PHI is maintained in the records of the healthcare component;
If UNT or one of its healthcare components does not maintain the requested PHI but knows where the requested information is maintained, then it must inform the individual where to direct the request for access;
The individual must make the request in writing, using the appropriate form;
Based on Texas law, UNT or the healthcare component must act on the individual's request no later than the 15th calendar day after receipt of the request and payment of any necessary fee. If UNT is officially closed during the entire 15-day period, the request must be acted on in a reasonable time following the reopening of the university. UNT or the healthcare component shall:

Make the information available, in full or in part, for examination; or
Inform the authorized requestor if the information does not exist, cannot be found, or is not yet complete. On completion or location of the information, UNT or the healthcare component shall notify the individual. If the information does not exist or cannot be found, the health care component will make an official notation for file at the UNT facility.

If access is granted, in whole or in part, UNT or the healthcare component must comply with the following requirements:

UNT or the healthcare component must provide the individual access to his or her PHI in the designated records, including inspection or receiving a copy, or both. If the same PHI that is the subject of a request for access is maintained in more than one designated record or at more than one location, UNT or the healthcare component need only produce the PHI once in response to a request for access;
UNT or the healthcare component must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily reproducible in such a form or format, or if not, in a readable hard copy or other form or format that is agreed on by both parties;
UNT or the healthcare component may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided, if:

The individual agrees in advance to such a summary or explanation; and
The individual agrees in advance to the fees imposed, if any, by UNT or the healthcare component for a summary or explanation.

Whether summary or explanation, notation will be made by the health care component in the file at the UNT facility.

UNT or the healthcare component must provide access as requested by the individual in a timely manner, including arranging with the individual for a convenient time and place to inspect or receive a copy of the PHI, or by mailing the copy of the PHI at the individual's request. UNT or the healthcare component may discuss the format, scope, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access; and
If the individual requests a copy of the PHI or agrees to a summary or explanation of its information, UNT or the healthcare component may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:

Copying, including the cost of supplies for and labor of copying the PHI requested. The fee schedule for these services is set by the State of Texas ;
Postage, if the patient has requested that the copy, summary, or explanation be mailed; and
Preparing an explanation or summary of the PHI, if agreed to by the individual.

10.7.5.2.1 Denial of Access to PHI

UNT or the healthcare component must allow an individual to request access to inspect or receive a copy of PHI maintained in their records. However, UNT or the healthcare component may deny an individual's request without providing an opportunity for review when:

An exception stated above exists;
The individual agreed to temporary denial of access when consenting to participate in research that includes treatment, and the research is not yet complete;
The records are subject to the Privacy Act of 1974, and the denial of access meets the requirements of that law; and
The PHI was obtained from someone other than UNT under a promise of confidentiality, and access would likely reveal the source of the information.

UNT or the healthcare component may also deny an individual access for additional reasons, provided that the individual is given the right to have such denials reviewed under the following circumstances:

A licensed healthcare professional designated by the HIPAA Compliance Office has determined that the access is likely to endanger the life or physical safety of the individual or of another person;
The PHI makes reference to another person who is not a healthcare professional, and a licensed healthcare professional designated by the HIPAA Compliance Office has determined that the access requested is likely to cause substantial harm to this other person; or
The request for access is by the individual's surrogate decision-maker, and a licensed healthcare professional designated by the HIPAA Compliance Office has determined that access is likely to cause substantial harm to the individual or to another person.

If access is denied on the basis of any criterion above, the individual has the right to have the denial reviewed by a licensed healthcare professional designated by the HIPAA Compliance Office to act as the reviewing official. The designee must not have participated in the original decision to deny . UNT or the healthcare component must provide access or deny access in accordance with the determination of the reviewing official;
If UNT or the healthcare component denies access, in whole in or part, to PHI, UNT or the healthcare component must comply with the following:

To the extent possible, give the individual access to any other PHI requested, after excluding the PHI to which access was denied;
Provide in a timely manner written denial to the individual, in plain language , the following information:

The reason for the denial;
If applicable, a statement of the individual's review rights, including a description of how the patient may exercise such review rights; and
A description of how the individual may complain to UNT.

If the individual has requested a review of a denial, the UNT HIPAA Compliance Officer must designate a licensed UNT health care professional who was not directly involved in the decision to deny access. UNT must promptly refer a request for review to this licensed health care professional. The licensed health care professional must determine, in a reasonable period of time, whether to provide or to deny access to the requested PHI. The UNT HIPAA Compliance Office must promptly provide written notice to the individual detailing the findings of the reviewing health care professional, and must then direct that appropriate action be taken to provide or deny access, as addressed in this section.

10.7.5.3 Authorization

Each UNT healthcare component shall develop the necessary procedures, forms, and training of their workforce members to implement the requirements for processing authorizations and using them for the disclosure of PHI, as discussed in the following sections.

10.7.5.3.1 Authorization Requirements for Use and Disclosure

[45 CFR 164.508(a)]

10.7.5.3.1.1 General Requirements

An authorization shall be required for release of PHI to all healthcare providers, but it is not required for information to be accessed by an attending physician who makes a referral. The referring physician shall always have access to a patient's or client's PHI that is created by a specialist or consulting physician. If the specialist or consulting physician, however, is not on the workforce at UNT, that physician may require the individual to sign an authorization to release PHI to a referring physician at a UNT healthcare component.

A patient or client must always sign an authorization to release PHI for reasons that are not related to TPO.

An individual requesting the release of the individual's own PHI must complete and sign the authorization form developed by the healthcare component. UNT's release of PHI must comply with the directives stated in the authorization. The UNT healthcare component must save all signed authorizations in the individual's record.

PHI may be disclosed without an authorization or without consent if the law requires such disclosure. All the cases in which this is required and permitted are stated elsewhere in this policy. The UNT healthcare component from which PHI is released by the healthcare component or by UNT must document the disclosure in its database used for this purpose.

10.7.5.3.1.2 Requirements for Disclosure of Psychotherapy Notes

The UNT healthcare component may not use or disclose psychotherapy notes for purposes other than TPO without obtaining the patient's or client's signed authorization. The healthcare component also cannot disclose the psychotherapy notes to the patient or client without his or her signed authorization.

An authorization for use or disclosure of psychotherapy notes for TPO is not required under the following situations:

The notes originated in the same UNT healthcare component that is carrying out treatment;
The healthcare component is disclosing de-identified information from the notes for training programs in which students, trainees, or practitioners in mental health learn how to improve their skills. Only de-identified information may be used for such a purpose;
The information will be used or disclosed to defend UNT in a legal action, or in any other proceeding in which UNT is a party;
When the healthcare component must use or disclose the information as required by the Secretary of Health and Human Services to investigate, audit, or determine compliance with privacy regulations in the UNT healthcare component. However, psychotherapy notes relating to a student may not be released to HHS, as these are either medical records exempt from FERPA or they may be student records, both of which are not covered by HIPAA;
The use or disclosure is required by law and is limited to relevant requirements of the law;
The healthcare component makes the disclosure to a health oversight agency that is carrying out its responsibilities to oversee the treatment and operations of the originator of the psychotherapy notes. The healthcare component may be required to enter into Business Associate Agreements with certain health oversight agencies; or
The healthcare component discloses information to coroners or medical examiners for the purpose of identifying a deceased individual determining a cause of death, or other duties authorized by law.

Specific requirements for disclosures that do not require an authorization from an individual are covered elsewhere in this policy.

Texas law protects communications between an individual and a professional providing treatment, and also protects records of the identity, diagnosis, evaluation, or treatment of an individual that is created or maintained by the professional. Texas law does not specifically address psychotherapy notes. Consequently, either HIPAA or FERPA regulations, whichever applies, will be followed by UNT healthcare components.

10.7.5.3.2 Requirements for Valid Authorization

[45 CFR 164.508(b)]

All authorizations must contain the required core elements. If the use or disclosure of an individual's PHI is for reasons other than TPO, it may also need to include the elements needed:

For UNT's own uses and disclosures;
By UNT for another entity's uses and disclosures; or
For research that includes treatment.

These are discussed the following sections.

10.7.5.3.2.1 Core Elements

[45 CFR 164.508(c)]

A valid authorization must contain at least the following elements and must be written in plain language:

A description of the information to be used or disclosed that identifies the information in a specific and meaningful way. Requests for substance abuse records, including Employee Assistance Program records, require an explanation of the purpose for the request;
The name or other specific identification of the person or the class of persons who are authorized to make the requested use or disclosure;
The name or other specific identification of the person or the class of persons to whom a healthcare component of UNT may make the requested use or disclosure;
An expiration date for the request. Unless it is revoked sooner, the authorization is valid for 180 days after the date it is signed;
A statement of the individual's right to revoke the authorization in writing, any exceptions to the right to revoke, and a description of the process that the individual would use to revoke the authorization;
A statement that the information use or disclosed pursuant to the terms of the authorization is no longer protected by the HIPAA privacy regulations, and it may be re-disclosed by the recipient;
Signature of the individual and the date; and
If a personal representative signs for the individual, a description of the representative's authority to act for the individual.

10.7.5.3.2.2 Elements of Authorization Needed for UNT's Use and Disclosure

[45 CFR 164.508(d)]

If an authorization is requested by UNT or by one of its healthcare components for its own use or disclosure of PHI that it maintains, UNT must include the following requirements in the authorization in addition to the core elements:

A statement that UNT or the healthcare component will not condition treatment, payment, or eligibility for benefits on the individual providing the authorization, unless one of these exceptions exist:

UNT may condition the provision of research-related treatment on provision of an authorization, or
UNT may condition the provision of health care that is solely for the purpose of creating PHI for disclosure to a third party on provision of an authorization for the disclosure of the PHI to such third party.

A description of each purpose of the requested use or disclosure;
A statement that the individual may:

Inspect or receive a copy of the PHI to be used or disclosed, and
Refuse to sign the authorization.

If use or disclosure of the requested information will result in direct or indirect remuneration to UNT from a third party, a statement of such remuneration must be included.

10.7.5.3.2.3 Elements of Authorization Requested by UNT for Disclosures by Other Entities

[45 CFR 164.508(e)]

If a UNT healthcare component requests an authorization be signed to obtain records from another covered entity for the healthcare component to carry out TPO, the healthcare component must include the following requirements in addition to the core elements:

A description of each purpose of the requested use or disclosure;
A statement that UNT or the healthcare component will not condition treatment, payment, or eligibility for benefits on the individual providing the authorization, except for an authorization on which payment may be conditioned; and
A statement that the individual may refuse to sign the authorization

A copy of the authorization shall be provided to the individual for signature.

10.7.5.3.2.4 Authorizations Needed for Research That Includes Treatment

[45 CFR 164.508(f)]

See Section 10.7.8.3.9 and UNT Policy 16.5, Human Subjects in Research, and its associated procedures.

10.7.5.3.2.5 Defective Authorizations

[45 CFR 164.508(b)]

An authorization is considered defective and invalid if any material information in the authorization is known by UNT or any member of its workforce to be false, or if any of the following defects exist:

The expiration date has passed or the expiration event is known by the UNT healthcare component to have occurred;
The authorization has not been filled out completely or signed;
The authorization is known by the UNT healthcare component to have been revoked;
The authorization lacks any of the core elements; or
The authorization violates the exception allowing compound authorizations for research purposes.

10.7.5.3.3 Compound Authorizations

An authorization for use and disclosure of PHI may not be combined with any other document to create a compound authorization, except for the following:

An authorization for the use or disclosure of PHI created for research that include the treatment of the individual may be combined;
An authorization for the use and disclosure of psychotherapy notes may only be combined with another authorization for use and disclosure of psychotherapy notes; or
An authorization, other than that for a use and disclosure of psychotherapy notes, may be combined with any other such authorization.

10.7.5.4 Access

10.7.5.4.1 Patient Right to Restrict

[45 CFR 164.522(a)(b)]

UNT healthcare components must permit an individual to request that the healthcare components restrict:

Uses and disclosures of PHI about the individual to carry out TPO.
Permitted uses and disclosures as outlined elsewhere in this policy.

Each healthcare component shall develop the necessary forms and procedures to enable individuals to request restrictions and shall provide workforce members with the training necessary to carry out these procedures.

UNT healthcare components are not required to agree to a restriction. If a healthcare component does agree to a restriction, UNT or the healthcare component may not use or disclose PHI in violation of the restriction, except when the individual who requested the restriction needs emergency treatment and the restricted PHI is required to provide emergency treatment.

UNT or a healthcare component may itself use the restricted PHI or may disclose the restricted PHI to a health care provider for other required treatment to the individual. If restricted PHI is disclosed to another health care provider for emergency treatment, UNT or its healthcare components must request that the health care provider not further use or disclose the PHI.

A restriction agreed to by a UNT healthcare provider cannot be used to prevent:

Uses or disclosures from being made to the individual for inspection and copying the individual's own PHI;
The individual from obtaining an accounting of disclosures of PHI; or
For uses and disclosures for which consent, authorization, or opportunity to agree or object is not required.

10.7.5.4.1.1 Terminating a Restriction

A UNT healthcare component may terminate its agreement to a restriction if:

The individual agrees to or requests the termination in writing;
The individual orally agrees to the termination and the oral agreement is documented; or
The UNT healthcare component informs the individual that it is terminating the restriction. PHI created or received before the termination will remain restricted. PHI created or received after the termination will no longer be restricted.

10.7.5.4.1.2 Confidential Communications

A request for restricting confidential communications can occur anytime and requires a change in the individual's designated address. UNT healthcare components must permit individuals to make requests and must accommodate reasonable requests to receive communications of PHI from UNT healthcare components by alternative locations or address. UNT healthcare components:

May require that individuals make a request for confidential communication in writing;
May condition the provision of a reasonable accommodation on:

Information regarding how any payment will be handled, if appropriate; and
Specification of an alternative address or other method of contact.

May not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.

It is the individual's responsibility to change an address back to the original designated address.

10.7.5.4.1.3 Right to Amend One's Own Protected Health Information

[45 CFR 164.526(a)-(f)]

Patients have the right to amend information collected and maintained about them in their records.

All workforce members must strictly observe the following standards:

An individual has the right to have a UNT healthcare component amend PHI or a record about the individual in a designated record for as long as the PHI is maintained in the record;
A UNT healthcare component may deny an individual's request for amendment, if it determines that the PHI or record that is the subject of the request:

Was not created by the UNT healthcare component, unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
Is not part of the individual's designated record;
Would not be available for inspection under the Access and Denial Request for PHI section of this policy; or
Is accurate and complete.

The individual must make the request to amend the PHI in writing with a reason to support the requested amendment. The request shall be on the form developed for this purpose by the healthcare component.
The UNT healthcare component must accept all requests to amend PHI in the designated record. However, the healthcare component is not required to act on the individual's request if one of the conditions for denying the request is found to exist.
The healthcare component must act on the individual's request for an amendment no later than 60 days after the receipt of the request. If the healthcare component is unable to act on the amendment within the required 60 day time limit, it may extend the time for its action by no more than 30 additional days, provided that:

The healthcare component provides the individual with a written statement of the reasons for the delay and the date by which action on the request will be completed, and
The healthcare component may have only one such extension of time for action on a request for an amendment.

If the amendment is granted, in whole or in part, the UNT healthcare component must:

Make the appropriate amendment to the PHI or record that is the subject of the request for amendment by at least identifying the records that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
Inform the individual in a timely manner that the amendment is accepted and obtain the individual's identification of and agreement to have the healthcare component notify the relevant persons with which the amendment needs to be shared.
Make reasonable efforts to inform and provide the amendment within a reasonable time to:

Persons identified by the individual as having received PHI about the individual and needing the amendment, and
Persons, including business associates, that the healthcare component knows have the PHI that is the subject of the amendment and that may have relied, or might reasonably rely, on this information to the detriment of the individual.

If the requested amendment is denied, in whole or in part, the healthcare component must provide the individual with a timely, written denial. The denial must use plain language and contain:

The basis for the denial, in accordance with the procedures specified in this section.
Notice that the individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement.
A statement that, if the individual does not submit a statement of disagreement, the individual may request that the healthcare component provide the individual's request for amendment and the denial of the amendment whenever it makes future disclosures of the individual's PHI.
A description of how the individual may file a complaint with UNT, or with the UNT System Office of the Vice Chancellor and General Counsel with respect to student medical records, or to the Secretary of the Department of Health and Human Services with respect to records protected by the HIPAA Privacy regulations.

Additionally, for denials:

The healthcare component must permit the individual to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such a disagreement. The healthcare component may reasonably restricted the length of any statement of disagreement;
The healthcare component may prepare a written rebuttal to the individual's statement of disagreement. Whenever a rebuttal is prepared, a copy of the rebuttal must be provided to the individual who submitted the statement of disagreement;
The healthcare component must identify, as appropriate, the record or PHI in the designated record that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the denial of the request, the individual's statement of disagreement, if any, and the rebuttal, if any, to the designated record;
In its future disclosures:

If a statement of disagreement has been submitted by the individual, the healthcare component must include the individual's request for an amendment, the denial of the request, the individual's statement of disagreement and the rebuttal, if any, or an accurate statement of any such information, with any subsequent disclosures of the PHI to which the disagreement relates;
If the individual has not submitted a written statement of disagreement, the healthcare component must include the individual's request for amendment an its denial, or an accurate summary of this information, with any subsequent disclosures of the PHI only if the individual has requested such action; or
When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included with the disclosure, the healthcare component may transmit the material required under separate cover to the recipient of the standard transaction.

If the healthcare component is informed by another provider or payer that an amendment has been made to the individual's PHI within the outside entity's records, the UNT healthcare component must amend the PHI in the designated records that have been received from that outside entity. However, the UNT healthcare component is not required to amend the PHI in its own records based on the determination of the outside entity, unless the healthcare component regards the findings of the outside entity reliable. Questions concerning reliability should be discussed with the UNT System Office of Vice Chancellor and General Counsel.

Each UNT healthcare component shall develop the procedures, forms, and training for its workforce members that are necessary to carry out the requirements of this section.

10.7.5.4.3 Accounting for Disclosures and Patient Access to Disclosure Logs

[45 CFR 164.528(a)-(d), 164.530(i)(1)]

Individuals shall have the right to receive an accounting of PHI disclosures made by UNT healthcare components in the six years prior to the request (or a shorter time period if requested). Disclosures include those to and by business associates. However, UNT healthcare components are not required to account for disclosures that occurred prior to the compliance date of April 14, 2003.

UNT healthcare components must account for disclosures of PHI for occurrences other than TPO. These require an authorization from either the individual or a surrogate decision maker. However, referring physicians will not require an authorization or accounting of disclosure of PHI. Disclosures for law enforcement purposes or that are required by law do not need an authorization.

10.7.5.4.3.1 Right to Accounting of Disclosure of PHI

UNT healthcare components must provide the individual with a written accounting that meets the following requirements:

The accounting for each disclosure must include:

The date of the disclosure;
The name of the entity or person who received the PHI and, if known, the address of this entity or person;
A brief description of the PHI disclosed; and
A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or in lieu of such a statement:

A copy of the individual's written authorization, or
A copy of a written request for a disclosure, if any.

If a UNT healthcare component has made multiple disclosures of the PHI to the same person or entity for a single purpose, or resulting from a single authorization, the accounting may provide, for these multiple disclosures:

The information required above;
The frequency, periodicity, or number of the disclosures made during the accounting period; and
The date of the last such disclosure during the accounting period.

The healthcare component must act on the individual's request for an accounting no later than 60 days after receipt of the request, as follows:

Provide the individual with the accounting requested, or
If unable to provide the accounting within the time required, it mat extend the time to provide the accounting by no more than 30 days, provided that:

The healthcare component, within the 60 day time limit, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting, and
The healthcare component may have only one such extension of time for action on a request for an accounting.

The healthcare component must provide the first accounting to an individual in any 12-month period without charge. The healthcare component may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual with the same 12-month period, provided that the healthcare component informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or to modify the request for a subsequent accounting in order to avoid or to reduce the fee. The fee schedule for these services is set by the State of Texas.

10.7.5.4.3.2 Exceptions to the Right of Accounting of Disclosures

In accounting for disclosures of PHI:

The UNT healthcare component must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official if this agency or official provides the healthcare component with a written statement that such an accounting to the individual would reasonably be likely to impede the agency's activities. The written statement must specify the time for which such a suspension is required.
If the agency or official suspends an individual's right to receive an accounting of disclosures and the statement is made orally, the UNT healthcare component must:

Document the statement, including the identity of the agency or official making the statement.
Temporarily suspend the individual's right to an accounting of disclosures subject to the statement.
Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written statement from the suspending agency or official is submitted during this 30-day time period.

The UNT healthcare component is not required to account for the following disclosures:

To carry out TPO.
To individuals requesting their own PHI.
To person's involved in the individual's care or for other notification purposes.
For national security or intelligence purposes.
To law enforcement officials.
That occurred prior to the compliance date of April 14, 2003.

10.7.5.4.3.3 Documentation for Accounting of Disclosures

The workforce members of the UNT healthcare component are required to account for disclosures of PHI by documenting any such disclosure. Each healthcare component shall develop the necessary procedures, training of workforce members, and database or filing system that will contain the accounting of disclosures and that will comply with this section.

10.7.6 Administrative Requirements

10.7.6.1 General Policies and Procedures

10.7.6.1.1 Implementing Policies and Procedures

[45 CFR 164.530(i)(1)]

This policy was developed to ensure the privacy of PHI regarding any individual receiving healthcare services from a component of UNT. This policy complies with the U.S. Department of Health and Human Services Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164, the Texas Medical Privacy Act, and any other applicable federal or state law or regulation.

10.7.6.1.2 Changing Policies and Procedures

[45 CFR 164.530(i)(2)]

The UNT HIPAA Compliance Officer is responsible for maintaining this policy. If changes in federal or Texas laws or regulations require changes in this policy, the UNT HIPAA Compliance Officer will consult with necessary parties both within and outside the University to develop the required policy changes.

Changes in this policy may also be requested by University management or by the management or Privacy Officer of any healthcare component within the University. Proposed changes will be submitted to the UNT HIPAA Compliance Officer for consideration and development. Changes in this policy must be approved by the President of UNT and must be ratified by the UNT System Board of Regents. The changes take effect on approval of the President of UNT.

Healthcare components within UNT must also develop a procedure for changing their policies and procedures and for updating forms, records, and agreements.

If changes in policies or procedures materially affect the way in which workforce members carry out their duties, the affected workforce members will be retrained in compliance with section 10.7.6.4.1 of this policy.

10.7.6.1.3 Documentation of Policies and Procedures

[45 CFR 164.530(j)]

The UNT HIPAA Compliance Office must retain documentation of these changes for a period of seven years from the time the documentation was created, unless a longer period is prescribed by other federal or Texas regulations.

UNT and its healthcare components must maintain the policies and procedures required by the HIPAA Privacy regulations in written or electronic form. Whenever a communication is required to be in writing, UNT or its healthcare components, as appropriate, shall maintain a record of this communication, or an electronic copy, as documentation. Whenever an action, activity, or designation is required to be documented, UNT or its healthcare components, as appropriate, shall maintain a written or electronic record of such action, activity, or designation.

10.7.6.2 Privacy and Confidentiality Procedures

10.7.6.2.1 Safeguards

[45 CFR 164.530(c)]

Each UNT healthcare component must develop and implement administrative procedures and practices, as well as technical and physical safeguards that reasonably protect health information from intentional and unintentional use and disclosure that violates federal or Texas law and regulations.

10.7.6.2.2 Mitigation of Harmful Effects from Unauthorized Use

[45 CFR 164.539(f)]

To the extent practicable, UNT will mitigate any harmful effect that becomes known to UNT as a consequence of the use or disclosure of PHI that violates federal or Texas laws, or the policies or procedures of UNT or of its healthcare components.

Mitigation may include, but is not limited to the following:

Taking corrective measures to remedy the effect of the violation.
Retraining workforce members responsible for the violation.
Disciplining workforce members responsible for the violation, following the procedures specified in this policy and in the appropriate sections of the UNT Policy Manual.
Revising UNT policies or procedure to prevent a recurrence of the violation.
Addressing problems with business associates, once UNT has been made aware of the problems.

10.7.6.2.3 Waiver of Rights

[45 CFR 164.530(h)]

Individuals who believe that a UNT healthcare component is not complying with the standard or requirements of the Privacy Act, when their medical records are protected by the Privacy Act, may file a complaint with the Secretary of the Department of Health and Human Services, as well as or instead of with the Privacy Officer of the healthcare component. The Privacy Act does not cover student medical records. Individuals who are students may file a complaint with the Privacy Officer of the healthcare component.

Individuals may not be asked or expected to waive their right to file a complaint with the Secretary of HHS or the Privacy Officer as a condition of receiving treatment by the healthcare component.

10.7.6.2.4 Effect of Prior Consents and Authorizations

[45 CFR 164.532(a)]

If an individual, before April 14, 2003 , signs an authorization for the use and disclosure of the individual's PHI either for research purposes or for reasons other than research, this prior authorization may continue to be used to use and release that PHI provided:

The individual's authorization permits the use and disclosure of the particular PHI required
The authorization meets the requirements of Section 10.7.5.3 of this policy and any other applicable UNT policies

10.7.6.2.5 Privacy Officer and Contact Person

[45 CFR 164.530(a)]

Each healthcare component of UNT shall designate a Privacy Officer, who will maintain accountability for privacy within the department or clinic. This individual may share this role with other duties, as long as a conflict of interest is not created by their multiple duties. In cases where a conflict of interest might arise, the Privacy Officer shall consult with the healthcare component's manager and with the UNT HIPAA Compliance Officer so that an alternate person may be designated to assume those duties that create the conflict of interest.

Each healthcare component of UNT shall also designate a Contact Person, who may be the same individual as the Privacy Officer. The role of the Contact Person is to accept complaints.

The Privacy Officer will oversee the healthcare component's Privacy Program, including:

Developing and implementing privacy policies and procedures, in accordance with federal and Texas privacy requirements.
Receiving and processing consents.
Receiving and processing restrictions on consents.
Receiving and processing revocations of authorizations.
Overseeing that all members of the component's workforce who come into contact with PHI are properly trained.
Approving all disclosures that do not require a consent, authorization, or opportunity for the patient to agree or object.
Providing information related to the Notice of Privacy Practices.
Mitigating the effects of all disclosures that are not compliant with federal or Texas law or with the policies or procedures of the department or clinic.
Conducting, at least annually, a review of the implementation of the “minimum necessary” requirements.
Conducting, at least annually, a review of the component's access procedures and relevant records.
Guiding and assisting in the identification, implementation, and maintenance of privacy policies and procedures in conjunction with the component's management, the UNT System Office of the Vice Chancellor and General Counsel, and the UNT HIPAA Compliance Officer.
Reviewing all patient information security plans to align security and privacy practices.
Performing initial and periodic risk assessments or “privacy audits” and conducting ongoing compliance monitoring activities.
Overseeing that the component maintains appropriate consent and authorization forms, information notices, and materials that reflect current organization and legal practices and requirements.
Overseeing compliance with privacy practices and application of sanctions for failure to comply with privacy practices.

This list provides an overview of the duties of the Privacy Officer and is not comprehensive.

10.7.6.2.6 Security Officer

A healthcare component may elect to have the Privacy Officer also serve as the Security Officer. Please see the Health Information Security Policy for additional information on the duties of the Security Officer.

10.7.6.3 Complaint Process

[45 CFR 164.530(c)]

Any individual who believes the rights granted by the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations or any other state or federal laws dealing with privacy and confidentiality have been violated may file a complaint regarding the alleged violation.

Each healthcare component of UNT shall develop and implement a set of procedures that enable individuals to file a complaint in case they believe that their privacy rights have been violated. These procedures shall specify to whom a complaint shall be delivered and how it will be investigated. If the complainant wishes to make an anonymous complaint, and if the healthcare component has no provision to accept such a complaint, the complaint can be filed using the form on the UNT Compliance Office website ( www.unt.edu/compliance ).

In situations involving workforce members who are students, the Center for Student Rights and Responsibilities shall be notified of the investigation. Members of the workforce who are found, after an investigation, to have violated this policy or any federal or Texas law or regulation shall be subject to appropriate and applicable disciplinary action, following the procedures in UNT discipline policies.

10.7.6.4 Employee Expectations

10.7.6.4.1 Documented Training Program

[45 CFR 164.530(b)]

The Privacy Officer of each healthcare component shall be responsible for ensuring that members of the component's workforce are properly trained in the requirements of federal and Texas law. All members of the workforce who come into contact with PHI in performing their job functions shall be trained on the privacy laws and the procedures regarding PHI.

The term “workforce” includes, employees, volunteers, and any other individual performing work for the healthcare component, who is under direct control of the component's management, regardless of whether or not they are paid.

Training shall meet the following requirements:

All current members of the workforce shall complete training by April 14, 2003 .
Workforce members hired or engaged in duties after that date must complete training within two months following the date when they start their duties.
The supervisor of the workforce member shall be responsible for initiating training.
Workforce members whose duties are affected by a material change in the privacy laws or policies shall be retrained within two months after the change becomes effective.
Workforce members who have violated privacy laws, policies, or procedures shall be retrained within thirty days of the determination.

The Privacy Officer shall document each training session and the names of the workforce members who completed training. Such documentation shall be maintained within the healthcare component's privacy records for at least seven years from the date of training.

The Privacy Officer shall provide a summary annual report of the component's training activities to the UNT HIPAA Compliance Officer.

10.7.6.4.2 Signed Employee Confidentiality Statement

All workforce members who come into contact with PHI in performing their job function, and who have completed required training in confidentiality procedures, shall acknowledge in writing that they have completed their training, that they have received a copy of the healthcare component's confidentiality and security agreement, that they understand its contents, and that they will comply with its provisions and with the provisions of federal and Texas law, University policy, and the healthcare component's policies and procedures.

The component shall provide a form for this purpose and shall keep it on file for a period of seven years from the date when it was signed.

10.7.6.4.3 Sanctions for Breaches

[45 CFR 164.530(e)]

Each healthcare component of UNT must develop and implement a policy for disciplinary action in the event that a member of the workforce uses or disclosures PHI in a manner that violates federal or Texas law or regulations, or UNT policies.

10.7.6.4.3.1 Disciplinary Action.

Failure to comply with PHI policies may be grounds for disciplinary action, including termination of employment. The appropriate level of disciplinary action will be determined on a case by case basis, taking into consideration the specific circumstances and severity of the violation. In cases where disciplinary action is imposed (except for termination), the workforce member shall be required to repeat confidentiality training.

The procedures for disciplinary action will be consistent with UNT policies 1.7.1 and 1.15.33.

Healthcare components should provide examples of violations that will result in disciplinary action. Examples of violations of privacy laws and policies include but are not limited to:

Discussing patient information in a public area.
Leaving a medical record in a public area.
Leaving a computer that contains PHI unsecured.
Looking up a patient's PHI for personal rather than for business and claims purposes.
Accessing patient records out of concern or curiosity.
Compiling a mailing list with the intent to sell or use for personal purposes or for profit.
Using or disclosing PHI to personally advance a cause of action.

10.7.6.4.3.2 Penalties

Federal penalties that might be assessed for illegal use or disclosure of PHI include:

The Department of Health and Human Services reserves the right to investigate complaints and conduct compliance reviews. The Secretary of Health and Human Services has delegated enforcement responsibilities to the Department's Office of Civil Rights (OCR).
Civil and criminal penalties may be imposed on a covered entity.
Civil penalties consist of a fine of $100 for each violation up to $25,000 within one year. The healthcare component can claim an affirmative defense if it had no knowledge of the violation, had exercised due diligence in preventing violations, and would not have known despite its due diligence. The OCR may waive penalties if disclosures are made due to reasonable cause and not willful neglect.
Criminal penalties may consist of up to $50,000 and a year in jail. If the disclosure was made under false pretenses, the violator may face a fine of $100,000 and five years in jail. An individual improperly disclosing PHI with the intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm may face a $250,000 fine and 10 years in jail.

Penalties for violations of the Texas Medical Privacy Act may include:

The Attorney General may institute an action for injunctive relief and/or civil penalties, not to exceed $3,000 per violation.
If a court that finds that violations constitute a pattern or practice, it can assess additional penalties, which should not exceed $250,000, suspend or revoke applicable licenses, or excluded the covered entity from state funded health care programs.

10.7.6.4.4 Prohibition of Retaliation

[45 CFR 164.530(g)]

All UNT workforce members are required to report any suspected violation of federal or Texas laws or regulations, or provisions of this policy. These reports should be made to their supervisor, the Privacy Officer of their healthcare component, or the UNT HIPAA Compliance Officer.

All UNT workforce members shall be allowed freely to discuss and raise questions to managers or to appropriate personnel about situations that they feel are in violation of federal or Texas law or this policy.

UNT shall not intimidate, threaten, coerce, discriminate against, or retaliate against any patient, legally authorized representative, workforce member, association, organization or group that in good faith:

Discloses or expresses the intention to disclose suspected violations of federal or Texas laws or regulations, or of this policy.
Provides information to or testifies against the alleged offender or UNT.
Objects to or refuses to participate in activities that they believe might violate federal or Texas laws or regulations, or this policy.
Participates in a compliance review, audit, or peer review of healthcare services.
Files a legitimate report, complaint, or incident report.

Workforce members who are alleged and found to have filed a malicious complaint may be subject to disciplinary action.

The UNT HIPAA Compliance Officer will review any allegation of retaliation and will ensure that a proper investigation is conducted.

10.7.7 Confidentiality and Communication

[45 CFR 164.508(a)]

10.7.7.1 Fax Transmittal of PHI

Each UNT healthcare component must develop procedures and forms that adhere to the following standards relating to facsimile communications of an individual's medical records, and each workforce member must follow the designated procedures

PHI may only be sent by fax when the original record or mail-delivered copies will not meet the needs for TPO.
Information transmitted must be limited to the minimum necessary to meet the requester's needs.
Except as authorized by state or federal law, or as authorized by the individual's consent, a properly completed and signed authorization must be obtained before releasing PHI.
The following types of medical information are protected by federal and/or state statute and may not be faxed or photocopied without specific written patient authorization, unless required by law:

Confidential details of:

Psychotherapy treatment by a psychiatrist or a licensed psychologist.
Other professional services of a licensed psychologist.
Social work counseling and therapy.
Domestic violence victims' counseling.
Sexual assault counseling.

HIV test results. An individual's written authorization is required for each separate release request.
Records relating to sexually transmitted disease.
Alcohol and drug abuse records protected by federal confidentiality rules (cf. 42 CFR Part 2).

A designated fax cover page must be used to send faxes containing PHI. All pages plus the cover page must be marked “CONFIDENTIAL” before being transmitted.
Workforce members must take reasonable precautions to send the PHI to the correct location, using the correct phone number. If they are uncertain of the fax number, they must first call the location and verify the fax number with a person at the remote location.

10.7.7.1.1 Documentation of Successfully Transmitted Faxes

The healthcare component sending a fax for TPO purposes may wish to maintain a copy of the fax transmittal or fax confirmation sheet in the individual's record, but it is not required to do so.

The healthcare component sending a fax for non-TPO purposes, based on an authorization of the individual or based on a request that does not require the consent of the individual, must maintain a copy of the fax transmittal sheet or, if available, the fax confirmation sheet in the individual's record. It must also enter the transmission into the healthcare component's disclosure accounting database.

10.7.7.1.2 Misdirected Faxes

If a fax is known to have arrived at an incorrect location, the workforce member must obtain the incorrect number from the fax memory and must attempt to contact a party by phone at the remote location to request that the misdirected fax be destroyed in its entirety. If no one is available by phone at the remote location, a form designated by the healthcare component must be faxed to the incorrect number with a request that the misdirected fax be destroyed in its entirety. The number to which the misdirected fax was sent must be entered into the disclosure accounting database with a notation that the fax was sent erroneously to that location.

10.7.7.1.3 Receipt of Faxes with PHI

Fax machines designated for receiving PHI must not be located in areas accessible to the general public or to workforce members who do not have authorization to access PHI. The director of the healthcare component, in conjunction with workforce members responsible for security, shall designate a secure location for fax machines.

Incoming fax documents are confidential PHI and must be handled in compliance with this policy and with the healthcare components procedures and practices.

If a fax is received in error, the receiving department shall immediately notify the sending party, and then shall either destroy it in its entirety or shall follow the directions of the sending party.

10.7.7.2 Email Transmission of PHI

Electronic mail that is sent, received, or stored on computers that are owned, leased, administered, or otherwise under the custody and control of UNT is the property of UNT and subject to this policy. Email transmission of PHI shall only be permitted after encryption has been implemented in the UNT email system.

10.7.7.2.1 General

Email containing PHI must be treated with the same degree of privacy and confidentiality as the patient's medical record.
UNT healthcare components shall make all email messages sent or received that concern the treatment of an individual part of the individual's record.
Emailing PHI with the UNT email system is permitted for TPO.
UNT workforce members may not send or forward any PHI outside the UNT email network unless specifically authorized by the individual.
When using email UNT workforce members must limit the information transmitted to the minimum necessary to meet the requestor's needs (see Section 10.7.4) and must use de-identified PHI (see Section 10.7.8.4.1) whenever possible.
All external disclosures of PHI though email must comply with Sections 10.7.5.3 and 10.7.5.4.3, which deal with authorizations and accounting of disclosures.

10.7.7.2.2 Email Correspondence Between UNT Workforce Members and Patients or Clients

Prior to using email to correspond with patients or clients, the individual must consent to the use of the email for transmitting confidential PHI and must indicate this in writing on their patient consent form and sign the form.
UNT workforce members must make sure that the individual has given written consent to correspond through email before doing so.
Email clients must permit encryption of the PHI transmitted.
Email should not be used to replace a clinical visit. A health care provider must use due care in determining if email is appropriate for the individual's treatment, based on the individual's case history.
At the conclusion of a dialogue with an individual, all emails regarded health care must be forwarded to the medical records custodian to become part of the individual's medical record.

10.7.7.2.3 Medical Records Including Email Correspondence Between Physicians

Physicians may email other UNT physicians within the UNT internal email system regarding patient matters.

If email contains PHI for treatment, the email must be printed and forwarded to the medical records custodian to become part of the individual's medical record.

10.7.7.2.4 Accounting for Email Disclosures

When email is used for disclosing PHI, the release must be documented in compliance with Section 10.7.5.4.3 of this policy.

10.7.7.3 Substance Abuse Confidentiality

The HIPAA Privacy Regulations consider Substance Abuse Treatment Records to be a unique subset of PHI, which must be treated differently from other types of PHI. A Substance Abuse Treatment Record shall be confidential and be disclosed only for the purposes expressly authorized by the individual who is the subject of the Substance Abuse Treatment Record.

The content of any Substance Abuse Treatment Record may be used and disclosed in accordance with the prior written consent of the individual for TPO. For any other use or disclosure of a Substance Abuse Treatment Record, the UNT healthcare component or the record custodian must have an authorization from the individual granting the healthcare component permission to disclose the information prior to the release of any portion of the Substance Abuse Treatment Record.

UNT may, however, disclose the Substance Abuse Treatment Record without the individual's authorization if:

Medical personnel are required to treat the individual in an emergency situation and require the information for their treatment.
Qualified personnel are conducting management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual receiving treatment in any report of such research, audit, or evaluation, or otherwise disclose individual identities in any manner.
A person is authorized by an appropriate order of a court of competent jurisdiction to receive the information in the Substance Abuse Treatment Record.
UNT must report the information in the Substance Abuse Treatment Record by law.

10.7.7.3.1 Criminal Proceedings

Except as authorized by court order, no Substance Abuse Treatment Record may be used to initiate or substantiate any criminal charges against an individual or to conduct any investigation of an individual.

10.7.7.3.2 Application

The prohibitions of this section continue to apply to records concerning any individual who has ever been a patient receiving Substance Abuse Treatment, irrespective of whether or when this individual ceases to be a patient.

10.7.7.4 Maintenance of PHI

10.7.7.4.1 Storage of PHI

UNT healthcare components have a duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. All UNT workforce members must strictly observe the following standards for storing PHI:

Before regular working hours have ended, workforce members must clean desks and working areas so that PHI is properly secured, unless the immediate area can be secured from unauthorized access.
When not in use, PHI must always be protected from unauthorized access. When left in an unattended room, such information must be appropriately secured.
If PHI is stored on the hard disk drive or other internal components of a computer workstation, personal computer, or PDA (Personal Digital Assistant), it must be protected by either a password or encryption. Unless encrypted when not in use, computers and their storage units must be secured from unauthorized access.
If PHI is stored on diskettes, CD-ROMs, ZIP disks, or any other type of removable data storage media, it cannot be commingled with other electronic information.
If backup copies of PHI are moved to a location away from campus to ensure redundancy and integrity of data, the remote location must be secure and the person transporting the copies must have security clearance and documented training in the requirement of the Privacy Act.

When PHI is being released through teleconference or video feed, UNT workforce members must treat the protection of the PHI in the same manner as PHI recorded on paper, thereby securing access to the teleconference or video to

authorized personnel only. Support staff for the teleconference or video feed must have documented training regarding HIPAA compliance procedures if they will have contact with PHI during the teleconference or video feed.
PHI stored in medical equipment (EKG, etc.) must be kept secure and disposed of in compliance with this policy.

Each healthcare component shall develop the procedures and workforce training necessary to ensure the integrity and confidentiality of stored PHI.

10.7.7.4.2 Printing and Copying of PHI

All UNT workforce members must strictly observe the following standards relating to the printing and copying of PHI:

PHI in hardcopy format must be disposed of in accordance with this policy and with records retention schedules.
Printed versions of PHI should not be copied indiscriminately or left unattended and open to compromise.
Printers and copiers use for printing and copying PHI should be in a secure, non-public location. If the equipment is in a public location, the information being printed or copied is required to be strictly monitored.
Defective copies or printouts of PHI must be secured and immediately disposed of, in compliance with this policy.
Access controls must be enforced to ensure that workforce members who transport and dispose of PHI have appropriate security clearance and training; and
PHI printed to a shared printer shall be promptly removed from the printer and secured.

10.7.7.4.3 Disposal of PHI

All UNT workforce members must strictly observe the following standards for disposal or hardcopy and electronic copies of PHI:

PHI must not be discarded in trash bins, recycle bins (including those with locks), or other locations accessible to the public.
PHI must be personally shredded or disposed of in any reasonable way that renders documents unreadable.
Printed material and electronic data containing PHI shall be disposed of in a manner that ensures confidentiality.
Each individual handling PHI is responsible for ensuring that documents containing PHI are either secured or destroyed. Supervisors are likewise responsible for ensuring that their employees and volunteers adhere to this policy.

10.7.7.4.4 Destruction of Convenience Copies

UNT healthcare component Heads and Directors shall provide workforce members in their healthcare component with access to shredders for proper disposal of confidential printouts containing PHI.

10.7.7.4.5 Electronic Copies

Secure methods shall be used to dispose of electronic data and output. Acceptable methods are determined by the University Computing Center to be compliant with Texas law and Department of Information Resources and General Services Commission Regulations.

10.7.7.4.6 Destruction of Originals

Original documents shall be retained in accordance with records retention schedules, and then shall be destroyed in compliance with this policy.

PHI printed material shall be shredded by a workforce member authorized to handle and personally shred the PHI.
Microfilm or microfiche must be cut into pieces or chemically destroyed.

If hardcopy PHI cannot be shredded, it must be incinerated, using a business associate that specializes in the disposal of confidential records.

10.7.7.4.7 Documentation of Destruction

To ensure that PHI is in fact destroyed and disposed of properly, UNT workforce members or a bonded business associate specializing in this service must carry out the destruction of PHI.
If UNT workforce members destroy the records, the UNT workforce member must use the records destruction form provided by their healthcare component or department to record the date and method of destruction, and a description of the records being destroyed.
If a bonded business associate destroys the PHI, the bonded business associate must provide the UNT healthcare component Privacy Officer with a document of destruction that contains the following information:

Date of destruction.
Method of destruction.
Description of the disposed records.
Inclusive dates covered.
A statement that the records have been destroyed in the normal course of doing business.
The signatures of the individuals supervising and witnessing the destruction.

The UNT healthcare component shall retain destruction documents permanently.

10.7.8 Organizational Use and Disclosure

10.7.8.1 UNT's Structure and Resulting Requirements

10.7.8.1.1 UNT as a Hybrid Entity

[45 CFR 164.504(a)]

UNT consists of healthcare service components, other services that support the business operations of the healthcare components, and still other components that are not related to healthcare services. UNT has elected to consider itself a hybrid entity. Healthcare components and those components that provide business support to the healthcare components must comply with all provisions of the privacy rule. The remaining components need not comply with the requirements of the privacy rule.

Release of protected information from the covered service or function to the non-covered service or function is considered a disclosure under the privacy rule for which an authorization must be obtained. If a University component, however, provides business-associate-like services to the healthcare component, and if it is so designated, an authorization is not needed, but the privacy rule applies.

The Texas Medical Privacy Act supplements the federal requirements, and it considers a covered entity to be any entity or person that uses, possesses, or obtains protected health information.

10.7.8.1.2 Identification of UNT's Health Care Components

[45 CFR 164.504(b)]

UNT's HIPAA Compliance Officer and the UNT System Office of the Vice Chancellor and General Counsel shall define the healthcare components of the University and those entities that provide business associate type support services by April 14, 2003 . The remaining components will be designated as non-covered components. The HIPAA Compliance Officer and the UNT System Office of the Vice Chancellor and General Counsel will also review this list annually, and will update it as needed.

10.7.8.1.3 UNT Safeguard Requirements for Health Care Components

[45 CFR 164.504(c)]

Those covered by this policy must develop and implement adequate protection between covered and non-covered functions or components. This protection shall be implemented by means of firewalls, policies, and procedures.

The healthcare component Privacy Officer must be consulted and must approve the implementation of protection measures that affect the operation of the healthcare component. Protection measures that are proposed and that are implemented must also be filed with the HIPAA Compliance Officer for review.

10.7.8.2 Business Associate Contracts and Other Arrangements

[45 CFR 164.504(e)]

A business associate is a person or entity, other than a workforce member, that performs a function that involves PHI for a healthcare component of UNT.

Each healthcare component must establish a business associate agreement with each of their business associates no later than April 14, 2003 , unless otherwise advised by the UNT System Office of the Vice Chancellor and General Counsel. Notwithstanding anything to the contrary, each healthcare component must establish a business associate agreement with each of their business associates no later than April 14, 2004 . The contract must meet the legal standards of the UNT System and must be approved by the UNT System Office of the Vice Chancellor and General Counsel before it is executed.

The business associate contract must establish the permitted and required uses and disclosures of PHI by business associates. This use or disclosure must comply with all the federal and Texas privacy laws and regulations in the same way that the healthcare component must also comply.

At a minimum, the business associate must contractually agree:

Not to use or further disclose PHI other than as permitted or required by the contract or as required by law;
To use appropriate safeguards to prevent use or disclosure of the information other than as provided by the contract;
To report to the healthcare component any use or disclosure of the information not provided for by the contract of which it becomes aware;
That agents and subcontractors of the business associate agree to the same restrictions and conditions that apply to the business associate in respect to PHI that the agent or subcontractor receives or creates on behalf of the business associate;
To make PHI available in accordance with the requirements imposed on the healthcare component;
To make PHI available for amendment and incorporate any amendments to PHI in accordance with the same requirements imposed on the healthcare component;
To make available the information required to provide an accounting of disclosures in accordance with the same requirements imposed on the healthcare component; and
To provide the Secretary of Health and Human Services and the Privacy Officer of the healthcare component with access to all internal practices and records relating to PHI in order to determine whether the healthcare component is in compliance.

At the termination of the contract, the business associate must agree:

To return or destroy all PHI;
Not to retain copies of the information; and
If the business associate cannot return or destroy the PHI, to extend the protections of the contract to the information and to limit further disclosures.

The healthcare component must determine and document that the business associate has provided satisfactory assurances that it is able to meet the requirements of the contract and to protect the privacy of PHI. The contract must authorize termination of the contract if the business associate violates a material term of the contract.

If the healthcare component becomes aware of a business associate's violation of the terms of the contract or of federal and Texas laws and regulations, it must take reasonable steps to prevent or to mitigate any improper use or disclosure of PHI. If reasonable steps to correct a business associate's contract violations are not successful in preventing or mitigating improper use or disclosure of PHI, the healthcare component must:

Terminate the contract, if feasible, or
If termination is not feasible, report the problem to the Secretary of HHS, and
If appropriate, seek a protective order by referring the matter to the UNT System Office of the Vice Chancellor and General Counsel

The business associate standard does not apply to disclosures made to another healthcare provider concerning the treatment of an individual patient, and it also does not apply to disclosures to health plans for payment purposes.

10.7.8.3 Information That May Be Used Without Patient Consent

As a general rule, members of the UNT workforce may not disclose PHI, unless the individual to whom the PHI belongs has requested the disclosure and has provided a valid authorization. This section presents the cases in which PHI may be disclosed. Such disclosures are explicitly limited to the following cases, and they must strictly comply with this policy and with the limits and requirements of applicable laws.

Each healthcare component of UNT shall develop the procedures and forms needed to implement the requirements of the following sections.

10.7.8.3.1 Information Required by Law

[45 CFR 164.512(a)]

Members of the workforce at UNT may use or disclose PHI if this use or disclosure is required by law. The information used or disclosed must be limited in scope to comply with and to meet only the requirements of the law.

UNT workforce members must meet disclosure requirements related to victims of abuse, neglect, or domestic violence; judicial and administrative purposes; and law enforcement purposes.

10.7.8.3.2 Information Required for Public Health Activities

[45 CFR 164.512(b)]

In cases where information is not required by law, a UNT healthcare component may elect to release PHI without an individual's authorization to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability.

A public health authority is an agency of the United States government (e. g., the Food and Drug Administration or Centers for Disease Control), a State (e. g.., the Texas Department of Health), a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or a contract with, a public health agency. Under the direction of a public health authority, a UNT healthcare component may also release PHI to a foreign government agency that is acting in collaboration with the public health authority.

Examples of information that may be released under this section include, but are not limited to:

Reporting a disease or injury
Reporting vital events, such as births or deaths
Conducting public health surveillance, investigations, or interventions
Notifying individuals at risk of contracting or spreading a disease, provided that other law authorizes such notification as necessary to carry out public health interventions or investigations
Tracking FDA-regulated products
Collecting or reporting adverse events from medications, foods, or supplements; product defects or problems; or biological product deviations
Enabling product recalls, repairs, or replacements by locating and notifying the individuals who received them
Disclosing PHI at the request of the individual's employer for the limited purpose of workforce medical surveillance or the evaluation of work-related illness and injuries only to the extent that the employer is required to comply with federal and state law. Information disclosed under this provision must be limited to the provider's findings relating to medical surveillance or work-related illness or injury. The individual must receive written notice that the information will be disclosed to the employer

In all cases, the disclosure must be limited to the minimum necessary, or to the information specifically required by law. The UNT System Office of Vice Chancellor and General Counsel shall make the final determination which information may be disclosed under this section.

10.7.8.3.3 Information About Victims of Abuse, Neglect, or Domestic Violence

[45 CFR 164.512(c)]

Members of the UNT workforce may disclose to a government agency PHI about an individual whom the UNT System Office of the Vice Chancellor and General Counsel has reasonably determined to be a victim of abuse, neglect, or domestic violence, if this disclosure is authorized or required by law and subject to the following conditions:

The disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of the law;
If the individual agrees to the disclosure; or
If the disclosure is expressly authorized by statute or regulation and:

The UNT System Office of the Vice Chancellor and General Counsel has made a reasoned determination that the disclosure is necessary to prevent serious harm to the individual or other potential victims, or
If the individual is unable to agree because of incapacity, a law enforcement or other public official may authorize to receive the report if:

The PHI sought is not intended to be used against the individual; and
An immediate enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

Government agencies include social service or protective services agencies.

The Privacy Officer of the UNT healthcare entity must promptly inform the individual that such a report has been or will be made, unless:

The UNT System Office of the Vice Chancellor and General Counsel has made a reasoned determination that informing the individual would place the individual at risk of serious harm, or
A surrogate decision maker would be the legally appropriate party to inform, and the UNT Office of the Vice Chancellor and General Counsel has made a reasoned determination that this surrogate decision maker is responsible for the abuse, neglect, or other injury, and that informing this person would not be in the best interests of the individual under medical care.

10.7.8.3.4 Information Required for Health Oversight Activities

[45 CFR 164.512(d)]

Members of the UNT workforce may disclose PHI without an authorization to a health oversight agency for oversight activities authorized by law. These activities include:

Audits
Civil, administrative, or criminal investigations, proceedings, or actions
Inspections
Licensure or disciplinary actions
Other activities necessary for appropriate oversight of:

The health care system
Government benefit programs for which health information is relevant for beneficiary eligibility
Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards, or
Entities subject to civil rights laws for which health information is necessary for determining compliance

Disclosure is not permitted if the individual is the subject of an investigation or activity and the investigation or activity is not directly related to:

The individual's receipt of health care
A claim for public benefits related to health, for example, food stamps, or
The individual's qualification for or receipt of public benefits or services when the individual's health is integral to the claim for public benefits or services.

If a health oversight activity or investigation is related to a claim for public benefits that are not related to health, the joint activity or investigation shall be considered a health oversight activity.

The UNT System Office of the Vice Chancellor and General Counsel will have the final authority to determine the propriety of a disclosure in cases that do not clearly meet the above criteria.

10.7.8.3.5 Disclosures by Whistleblowers and Workforce Victims of Crime

Members of the UNT workforce are encouraged to report conduct that is unlawful or that violates professional or clinical standards to the Office of Institutional Compliance. Disclosure of PHI to the Compliance Office for the purpose of reporting unlawful conduct or a violation of professional or clinical standards is always in compliance with this policy.

A member of the UNT workforce or a business associate may also disclose PHI without violating this policy if the following conditions are met:

The workforce member or business associate believes in good faith that UNT or one of its health care components has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by UNT or its health care components potentially endangers one or more patients, workers, or the public, and
The disclosure is to:

A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of UNT
An appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct at UNT, or
An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to conduct believed to be unlawful or in violation of professional or clinical standards

A member of the UNT workforce may also disclose PHI without violating this policy if:

The workforce member is a victim of a criminal act; and
The disclosure is to a law enforcement official, provided that:

The PHI disclosed is about the suspected perpetrator of the criminal act; and
The PHI disclosed is limited to the suspected perpetrator's:

Name and address
Date and place of birth
Social security number
ABO blood type and rh factor
Type of injury
Date and time of treatment
Date and time of death, if applicable, and
Description of the individual's distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars or tattoos

10.7.8.3.6 Information for Judicial and Administrative Proceedings

[45 CFR 164.512(e)]

UNT may use or disclose PHI in the course of any judicial or administrative proceeding if the following conditions are met:

The disclosure is in response to an order of a court or administrative agency, but only the PHI expressly authorized by the order may be disclosed
The disclosure is in response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or an administrative agency (such as a subpoena from a government agency) provided that:

The UNT System Office of the Vice Chancellor and General Counsel receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure that the subject of the requested PHI has been given notice of the request, evidenced by an affidavit from the requesting party, or
The UNT System Office of the Vice Chancellor and General Counsel receives satisfactory assurance from the party seeking the information that this party has made reasonable efforts to secure a qualified protective order. A qualified protective order is an order of a court or an administrative tribunal or a stipulation by the parties to a litigation or administrative proceeding that:

Prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested, and
Requires returning PHI to UNT or requires destroying the PHI and all copies made at the end of the litigation or proceeding.

The UNT System Office of the Vice Chancellor and General Counsel receives satisfactory assurances from a party seeking PHI along with a written statement and accompanying documentation that:

The party requesting such information has made a good faith attempt to provide written notice to the individual (or to mail a notice to the individual's last know address)
The notice included sufficient information about the litigation or proceeding in which the PHI is requested that would enable the individual to raise an objection to the court or administrative tribunal, and
The time for the individual to raise objections to the court or administrative tribunal has elapsed, and

No objections were filed, or
All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.

The UNT System Office of the Vice Chancellor and General Counsel receives satisfactory assurances from a party seeking PHI including a written statement and accompanying documentation demonstrating that:

The parties to the dispute that gave rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute, or
The party seeking the PHI has requested a qualified protective order from such court or administrative tribunal.

If the above conditions are not met, UNT has the option to disclose PHI in response to lawful process without receiving full satisfactory assurances, provided that UNT has made its own reasonable efforts:

To provide notice to the individual sufficient to meet the requirements of this section, or
To seek a qualified protective order.

10.7.8.3.7 Information for Law Enforcement Purposes

[45 CFR 164.512(f)]

This section deals with PHI that may be disclosed for law enforcement purposes in which de-identified information is not sufficient for law enforcement's needs.

For the purpose of complying with laws that require reporting certain kinds of wounds or other physical injuries, UNT may disclose PHI