University of Wisconsin Milwaukee

Transcription

1 University of Wisconsin Milwaukee Policies and Procedures for the Protection of Patient Health Information Under the Health Insurance Portability and Accountability Act ( HIPAA ) Published April 14, 2003 Revised July 12, 2006 Revised May 31, 2012 Revised November 30, 2012 Revised September 22, 2013 Board of Regents of the University of Wisconsin System on behalf of the University of Wisconsin Milwaukee, 2013.

2 A. Introduction UWM Policies and Procedures for the Protection of Patient Health Information Under HIPAA Table of Contents B. UWM Departments Covered by these Policies and Procedures (UWM s Health Care Component) C. Designation and Responsibilities of Privacy Officers D. Designation and Responsibilities of Security Officer E. General Safeguards to Protect PHI F. Notice of Privacy Practices G. Uses and Disclosures of PHI that Do Not Require the Patient s Written Authorization H. Authorization for Use or Disclosure of PHI I. De-identification of PHI J. Use and Disclosure of Limited Data Sets K. Accounting Disclosures of PHI L. Patient Rights M. Use of Business Associate Agreements N. Breach Notification Requirements O. Sanctions for Failure to Comply P. Retaliation and Intimidation are Prohibited Q. Retention of Documentation R. Changes to the Policy Attachments including Sample Forms: Accounting of Disclosures Log Acknowledgement of Receipt of Notice of Privacy Practices Application for IRB Waiver of Authorization or Altered Authorization under the HIPAA Privacy Rule Authorization Form for the Use and Disclosure of PHI Attachment to the Authorization Form for the Use and Disclosure of PHI Authorization Form for the Use and Disclosure of Psychotherapy Notes Attachment to the Authorization Form for the Use and Disclosure of Psychotherapy Notes Authorization Form for the Use and Disclosure of PHI for Research Purposes Certification for Research on the PHI of Decedents Complaint Report Form Data Use Agreement for Disclosures of Limited Data Sets List of Privacy Officers Notice of Privacy Practices Permission to Use Use of PHI in Activities Preparatory to Research Certification

3 A. Introduction These policies and procedures were created to help UWM comply with the privacy and security regulations established pursuant to the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) and the Health Information Technology for Economic and Clinical Health Act ( HITECH ) of The primary purpose of HIPAA s privacy and security regulations is to protect the confidentiality of Protected Health Information which is generated or maintained by entities covered by HIPAA in the course of providing health care services. Protected Health Information (or PHI ) is defined under HIPAA as information relating to (1) the past, present, or future physical or mental health condition of an individual, (2) the provision of health care to an individual, or (3) the past, present, or future payment for the provision of health care to an individual. These policies are intended to be a summary of the HIPAA privacy and security regulations. The policies are not intended to serve as a substitute for the regulations. For any questions regarding interpretation of these policies, the regulations must be consulted. (45 C.F.R. parts 160 and 164). B. UWM Departments Covered by these Policies and Procedures (UWM s Health Care Component) (45 C.F.R , 105) UWM is a Hybrid Entity under HIPAA. This means that UWM s business activities include both covered and non-covered functions, and that UWM has designated those departments or units that properly form its Health Care Component for the purpose of HIPAA coverage. UWM has designated as its Health Care Component those department or units (a unit for this purpose is any definable business operation at UWM; for example, a school or college, an academic or administrative department or sub-department, a center, clinic, or sub-clinic, or laboratory), that meet the following criteria: 1. The unit furnishes, bills or is paid for Health Care in the normal course of business. a. Health Care means care, services, or supplies related to the health of an individual, and includes: preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body, and the sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. 2. The unit transmits any PHI (see definition above) in Electronic Form in connection with a Transaction. a. Electronic Form means via the internet (wide-open), extranet (using internet technology to link a business with information PAGE 1

4 accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of transportable electronic storage media (memory devices, hard drives, memory disks or cards, etc.). b. Transmission means the transmission of information between two parties to carry out financial or administrative activities relating to health care, including: (1) Health care claims or equivalent encounter information; (2) Health care payment and remittance advice; (3) Coordination of benefits; (4) Health care claim status; (5) Enrollment or disenrollment in a health plan; (6) Eligibility for a health plan; (7) Health plan premium payments; (8) Referral certification and authorization; (9) First report of injury; and (10) Health claims attachments. UWM departments or units that meet the above definition are designated as part of UWM s Health Care Component and are referred to herein as Provider Units. In addition, other UWM departments or units that provide administrative services to Provider Units and in doing so, access a Provider Unit s PHI, are also designated as part of UWM s Health Care Component and are referred to herein as Administrative Units. Both the Provider Units and the Administrative Units are collectively referred to as Covered Departments under these policies and must comply with all of the policies and procedures outlined in this manual. The following Covered Departments are considered part of UWM s Health Care Component for the purposes of HIPAA: 1. Provider Units: a. UWM Audiology Clinic (College of Health Sciences) 1 b. Institute for Urban Health Partnerships (College of Nursing) 2. Administrative Units a. Privacy Officers for Covered Departments (See current List of UWM s Privacy Officers.) b. UITS Selected Support Staff (Division of Finance & Administrative Affairs) c. Other (Non-UITS) IT personnel serving Covered Departments d. Internal Audit (Division of Finance & Administrative Affairs) e. Office of Legal Affairs (Division of Finance & Administrative Affairs) f. Risk Management (Division of Finance & Administrative Affairs) 1 The UWM Audiology Clinic is part of an organized health care arrangement with the Center for Communication, Hearing and Deafness (CCHD) to provides services under the name Community Audiology Services. PAGE 2

5 C. Designation and Responsibilities of Privacy Officers (45 C.F.R (a)) The Dean or Division Head of each school, college, or division in which there are Covered Departments shall designate one or more Privacy Officers. The Privacy Officers shall be responsible for ensuring, in cooperation with the Office of Legal Affairs, that these policies and procedures are implemented by the Covered Departments under their responsibility. (See the current List of UWM's Privacy Officers.) Privacy Officers are responsible for ensuring that their Covered Departments are adequately informed about the policies in this manual and are complying with them. The duties and responsibilities of each Privacy Officer (with respect to the Covered Department(s) assigned to that Privacy Officer) include: 1. Monitoring the Covered Department(s) to ensure that it meets the criteria provided above and is appropriately designated as part of UWM s Health Care Component under these policies (see Section B above); 2. Ensuring that each existing and new employee within Covered Departments complete online HIPAA training at the time of hire and then no less than once every 2 years (Privacy Officers may establish a requirement for more frequent training depending on the need of the Covered Department); 3. Ensuring that Covered Departments are working with the Security Officer and his or her designees to comply with security regulations (see Section D below); 4. Monitoring Covered Departments to ensure that they have adopted safeguards to protect patient information (see Section E below); 5. Monitoring Covered Departments to ensure that they are properly using the Notice of Privacy Practices and Authorization to disclose patient information, including for any research purposes (see Sections F and H below); 6. Monitoring Covered Departments to ensure that they are properly disclosing information when an Authorization is not required (see Section G below); 7. Monitoring Covered Departments to ensure that they are properly maintaining an Accounting of disclosures (see Section K below); 8. Responding to patient requests for (a) restrictions on the use of Protected Health Information; (b) confidential communications; (c) inspecting and copying records; (d) amendments of records; (e) accountings of disclosures; and (f) complaints (see Section L below); 9. Monitoring Covered Departments to ensure that they have properly obtained Business Associate Agreements with appropriate contractors (see Section M below); 10. Maintaining any documentation regarding sanctions that have been applied by administration for an individual s failure to comply with these policies and procedures (see Section O below); PAGE 3

6 11. Initiating proper procedures in the event of any suspected breach of confidential PHI (see Section N below); and 12. Maintaining other documentation of compliance with these policies and procedures (see Section P below). D. Designation and Responsibilities of Security Officer (45 C.F.R (a)(2)) UWM s Chief Information Officer shall serve as the Security Officer for the purposes of HIPAA. The Security Officer shall be responsible for oversight of the security regulations and shall cooperate with Privacy Officers and/or Covered Departments designated security staff to ensure that security regulations are implemented by Covered Departments. Specifically, the Security Officer shall work with Privacy Officers and other staff of Covered Departments to: 1. Ensure the confidentiality, integrity, and availability of all Electronic PHI created, received, maintained, or transmitted by the Covered Departments; 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of Electronic PHI; 3. Protect against any reasonably anticipated uses or disclosures of Electronic PHI that are not permitted or required under HIPAA; and 4. Ensure compliance with the security regulations by the Covered Departments. Electronic PHI is PHI that is stored or transmitted by electronic media. Electronic PHI includes PHI that is stored on hard drives or portable memory media (disks and CDs) as well as PHI that is transmitted by or the internet. Electronic PHI does not cover conventional faxes or voic . The above responsibilities will be accomplished, in part, by the provision of Security Guidelines for use by Covered Departments. E. General Safeguards to Protect PHI 1. Minimum Necessary Rule (45 C.F.R (b), (d); 42 U.S.C (b)) a. General Rule Covered Departments must make reasonable efforts to limit the use and disclosure of Protected Health Information to the minimum extent necessary to accomplish the use or disclosure's intended purpose. Until additional guidance is issued by the Secretary of Health and Human Services, Covered Departments should use a Limited Data Set (as defined in Section J), if practicable to accomplish the intended purpose of the use or disclosure. If a Limited Data Set is not practicable, the Covered Departments may still rely on the general minimum necessary rule. PAGE 4

7 Covered Departments must make their own determination as to what constitutes the minimum amount of information necessary for the intended purpose of any use or disclosure, and may not independently rely on the determination of the requestor. b. Exceptions This "minimum necessary rule" shall not apply to the use and disclosure of PHI: For treatment purposes; For information requested by the patient to whom it belongs; For information requested pursuant to a valid authorization; For disclosures made to the Secretary of the Department of Health and Human Services for HIPAA compliance and enforcement; For uses and disclosures required by law or for compliance with HIPAA. c. Access by Employees Each Covered Department shall designate those employees who need access to Protected Health Information to carry out their duties and shall designate the level of access needed by each such employee. d. Access by Students The access granted to students must be determined on a case-by-case basis depending on the nature of the educational activity. The level of a particular student's access shall be determined by and monitored by his or her advisor or relevant instructor. e. Protocols Related to the Minimum Necessary Rule 2. Other Safeguards Covered Departments shall develop their own individual protocols with regard to implementation of the minimum necessary standard. Covered Departments are responsible for developing and establishing safeguards to protect the confidentiality of Protected Health Information. These should include appropriate administrative, technical, and physical safeguards to reasonably protect Protected Health Information from any intentional or unintentional use or disclosure in violation of this policy. At a minimum, Covered Departments should comply with the following: a. Oral Communications PAGE 5

8 Covered Department staff must exercise due care to avoid unnecessary disclosures of Protected Health Information through oral communications. b. Telephone Messages Telephone messages and appointment reminders may be left on answering machines and voice mail systems, unless the patient has requested an alternative means of communication. Telephone messages should never be left that include particularly sensitive health information, such as medical test results. c. Faxes Prior to sending a fax containing Protected Health Information, the sender should contact the recipient to verify the fax number and notify the recipient of the transmission, and the sender should confirm immediately after that the transmission was received. All faxes of Protected Health Information should be accompanied by a cover sheet that includes a confidentiality notice. Sensitive health information should not be transmitted by fax, except if deemed to be necessary under the circumstances, such as in an emergency situation or in response to an immediate need by a governmental agency. The Covered Department s fax machines must be located in secure areas not readily accessible to visitors and patients. Incoming faxes should not be left sitting on or near the machine. d. s Prior to sending an containing Protected Health Information, the sender should verify the address of the recipient. All s of Protected Health Information should contain a prominent confidentiality notice. Sensitive health information should not be transmitted by , except if deemed to be necessary under the circumstances, such as in an emergency situation or in response to an immediate need by a governmental agency. Prior to communicating with patients by , Covered Departments should obtain permission from the patient. (See UWM s recommended Permission to Use .) e. Sign In Sheets Sign in sheets should not contain information about the patient s condition. PAGE 6

9 Covered Departments that primarily see and treat patients with mental health, substance abuse, communicable diseases, or other sensitive health conditions should structure sign in sheets in a manner so that subsequent signers cannot identify the previous signers. f. Paper Records Paper records, including medical charts, should be stored or filed in such a way to avoid access by unauthorized personnel. Paper records should be secured/locked when the office is unattended. Original records should not be removed from the Covered Department s premises unless necessary to provide care or treatment or as required by law. g. Destruction Standards Protected Health Information must be discarded in a manner that protects the confidentiality of that information. Paper and other printed materials should be destroyed or shredded. h. Computer/Work Stations Computer monitors must be positioned away from common areas to prevent unauthorized access or observation. The screens on unattended computers must be returned to the main menu or use a password protected screen saver. Covered Departments are encouraged to adopt policies and procedures that are stricter than the parameters set forth above, in order to maximize the protection of Protected Health Information in light of the Covered Department s unique circumstances and practices. F. Notice of Privacy Practices (45 C.F.R ) Covered Departments must give all patients a Notice of Privacy Practices (see UWM s recommended Notice of Privacy Practices). If a Covered Department wishes to modify the recommended Notice of Privacy Practices, it should consult with the Office of Legal Affairs on any substantive changes. 1. Acknowledgement of Receipt Covered Departments must make a good faith effort to obtain a written acknowledgement that patients have received a copy of the Notice of Privacy Practices prior to receiving health care services. (See UWM s recommended Acknowledgement of Receipt.) 2. Methods of Transmission The Notice of Privacy Practices may be mailed to the patient prior to, or handed to the patient at the first appointment after, April 14, If a paper copy of the Notice is given to the patient, the patient should complete the paper Acknowledgement of Receipt. PAGE 7

10 The Notice may also be sent via if the patient has agreed to electronic notices. (See UWM s recommended Permission to Use ). If the Notice is delivered by , no Acknowledgment of Receipt is required so long as the patient has completed the Permission to Use Posting A current version of the Notice of Privacy Practices must be posted at all treatment sites of Covered Departments, in clear and prominent locations, at all times. 4. Emergency Situations In the event of an emergency, the Notice of Privacy Practices must be given to the patient as soon as reasonably practicable, and an Acknowledgement of Receipt is not required. 5. When Unable to Obtain Acknowledgement If a Covered Department cannot obtain an Acknowledgement of Receipt in a nonemergency situation, it must document its efforts to obtain the Acknowledgement of Receipt and the reason for its inability to obtain the Acknowledgement. The efforts should be documented in the space provided at the bottom of the Acknowledgement of Receipt. 6. Revisions to Notice of Privacy Practices If a Covered Department revises the Notice of Privacy Practices, the revised Notice need not be sent to patients who have already signed an Acknowledgement of Receipt. A revised Notice of Privacy Practices must be posted on the Covered Department s web site and a paper copy must be provided to patients upon request. G. Uses and Disclosures of Protected Health Information that Do Not Require the Patient s Written Authorization Many routine uses and disclosures of Protected Health Information do not require the patient's written authorization. HIPAA establishes two such categories of uses and disclosures: uses and disclosures that do not require health care providers to inform the patient of the use or disclosure, and uses and disclosures that require health care providers to inform the patient of the use or disclosure and give the patient an opportunity to refuse to allow such use or disclosure. 1. Uses and Disclosures that Do Not Require Providers to Inform the Patient of Such Uses and Disclosures (45 C.F.R , 512) Uses and disclosures of Protected Health Information that do not require providers to inform the patient of such use or disclosure includes those that are: for treatment purposes; PAGE 8

11 to obtain payment; for health care operations (e.g., quality control or appointment notifications); when required by law (e.g., to report abuse or neglect); for public health activities (e.g., workplace safety monitoring or disease control); for health oversight activities (e.g., provider licensing review); for activities related to the patient's death; to avert a threat to health or safety; for specific government functions (e.g., disclosures to correctional facilities or government benefit programs); or to government authorities for workers' compensation purposes. In addition, there are certain limited circumstances in which PHI can be disclosed for research purposes without the patient's notification, but such disclosure first requires the approval of UWM's Institutional Review Board or a special privacy board approved by UWM. Covered Departments can use demographic information and dates of service to send fundraising communications without patient authorization provided this is indicated in the Notice of Privacy Practices and both the communication and the Notice of Privacy Practices includes clear and conspicuous information about how a person can opt-out of receiving such communications and the Covered Department makes reasonable efforts to comply. The disclosures listed above are explained in greater detail in the Notice of Privacy Practices. 2. Uses and Disclosures that Require Providers to Give the Patient an Opportunity to Object to Such Uses or Disclosures (45 C.F.R ) There are two specific uses and disclosures that require providers to give the patient an opportunity to object to such use or disclosure before the patient's health information is used or disclosed: a. Patient Directories. Providers may maintain patient directories in which they disclose a patient's name, location and general health condition to callers or visitors who ask for the patient by name. These directories also may include a patient's religious affiliation so that providers may share it with clergy. Before a patient's name is added to such a directory, the patient must be informed and given the opportunity to object to such a listing. b. To Those Involved in the Patient's Care. Health care providers may share with a patient's friends, family or others involved in the patient's care information related to that patient's location or general condition. Similarly, if applicable, providers may release PHI with disaster relief organizations. Prior to such disclosure, the provider PAGE 9

12 must inform the patient that the disclosure might occur, and the patient must have an opportunity to object. H. Authorization for Use or Disclosure of PHI (45 C.F.R ) HIPAA requires that Covered Departments obtain patient authorization in writing for any use or disclosure of Protected Health Information, other than those described in Section G above, where authorization is not required. Uses or disclosures requiring written authorization often fall into one of five categories: uses or disclosures related to marketing, uses or disclosures in connection with the sale of Protected Health Information, uses or disclosures related to research, the use or disclosure of psychotherapy notes, and miscellaneous disclosures requested by the patient. (See UWM's recommended Authorization Form and Authorization Form for Research. These forms, as appropriate, may be used for all patient records except for psychotherapy notes.) The authorization must be signed by the patient before any use or disclosure of Protected Health Information requiring such authorization can occur. A copy of the Authorization must be provided to the patient. 1. Marketing All marketing communications require prior authorization unless they are made in the course of treatment, made face-to-face between the Covered Department and the individual patient, or involve the Covered Department's distribution of a promotional gift of nominal value. However, even if a communication falls within one of these exceptions, if a Covered Department is paid (directly or indirectly) by an outside entity to send a communication to a patient, the Covered Department is deemed to be marketing unless the communication concerns a currently prescribed drug and the payment received is reasonable in amount (as determined with reference to HIPAA regulations). A Covered Department is also deemed to be marketing if it engages with an outside entity by agreeing to promote that entity's services to its patients (regardless of payment), and if it does not do so in the course of treatment, in a face-to-face context, or via a promotional gift of nominal value. In such instances, it must obtain prior authorization from the patients to whom it intends to market. If the Covered Department receives payment in exchange for such marketing, the authorization form must disclose that fact. Promotional information about the Covered Department's own practices is not considered marketing under HIPAA. PAGE 10

13 2. Sale of Protected Health Information All sales of Protected Health Information, for direct or indirect payment, require patient authorization unless they are made for public health activities as described in the Privacy Rule, in connection with research (provided the price charged reflects the cost of preparation and transmittal of data), for treatment of the individual, in connection with a Business Associate Agreement, or to provide an individual with a copy of his/her own records. Any such patient authorization must specifically state that the Covered Department is receiving remuneration for the Protected Health Information. 3. Research Patient authorization must be obtained if a Covered Department wishes to use or allow use of a patient's Protected Health Information in research studies, unless the Department has received explicit permission to forego an authorization by UWM's Institutional Review Board (IRB) or by a special board authorized by UWM to handle privacy matters. For the purposes of research, the recommended Authorization Form for the Use and Disclosure of PHI for Research Purposes may be used, or, with approval from the IRB, the same information may be incorporated into an informed consent form developed by the department administering the study. 4. Psychotherapy Notes Unless psychotherapy notes are used by their originator for treatment, used in the provider's own training program, or disclosed pursuant to a court order, use or disclosure of psychotherapy notes requires a separate authorization. Psychotherapy notes are notes recorded by a mental health care professional that document or analyze the contents of a private or group counseling session. They do not include documentation of medication administered to the patient or of the frequency of counseling sessions. (See UWM s recommended Authorization Form for the Use and Disclosure of Psychotherapy Notes.) 5. Miscellaneous Disclosures At the patient s request, PHI may be disclosed to another person or entity, after the patient signs a valid authorization. I. De-identification of PHI (45 C.F.R (d), (a)-(c)) 1. Use of De-identified PHI Covered Departments may use PHI to create de-identified information without patient authorization. Covered Departments may also disclose PHI to a Business Associate for the purpose of creating de-identified information without patient authorization. De-identified information is not PHI and may be used or disclosed without patient consent. PAGE 11

14 2. Requirements for De-identification PHI may be considered de-identified if all of the following identifiers are removed for the patient, relatives, employers, or household members of the patient: a. Names; b. Geographic subdivisions smaller than a state (i.e. county, town or city, street address, and zip code) (except that the initial 3 digits of a zip code may be disclosed where the area covered by those 3 digits contains more than 20,000 people); c. All elements of dates except year for dates that are directly related to an individual (including birth date, admission date, discharge date, date of death, all ages over 89 and dates indicative of age over 89) (note that ages may be aggregated into a single category of age 90 or older); d. Phone numbers; e. Fax numbers; f. addresses; g. Social security number; h. Medical record number; i. Health plan beneficiary number; j. Account number; k. Certificate/license number; l. Vehicle identifiers and serial numbers; m. Device identifiers and serial numbers; n. URLs; o. Internet protocol addresses; p. Biometric identifiers (e.g. fingerprints, DNA); q. Full face photographic and any comparable images; r. Any other unique identifying number, characteristic, or code; and s. Any other information about which the Covered Department has actual knowledge that it could be used alone or in combination with other information to identify the individual. PHI may also be considered de-identified if a person with appropriate expertise in statistics and other relevant scientific principles and methods (1) determines that the risk is very small that the information could be used, alone or in combination, by an anticipated recipient to identify a patient who is the subject of the information; and (2) documents the methods and results of the analysis that justify the determination. The Department of Health and Human Services (HHS) issued additional guidance on using the above methods for de-identifying Protected Health Information in its November 26, 2012 publication titled Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which can found on HHS s website and should be consulted as appropriate. PAGE 12

15 3. Use of Codes to Allow Re-identification A Covered Department may assign a code or other means of record identification to allow information de-identified to be re-identified by that unit provided that: a. The code or other means of record identification is not derived from or related to information about the patient and is not capable of being translated so as to identify the patient; and b. The Covered Department does not use or disclose the code for any purpose except re-identification. Disclosure of a code is the same as disclosure of PHI. If de-identified information is re-identified, that information is PHI subject to all the protections of HIPAA. J. Use and Disclosure of Limited Data Sets (45 C.F.R (e)) 1. Use and Disclosure Allowed Covered Departments may use or disclose a Limited Data Set without patient consent for the purposes of research, public health, or health care operations, if the Covered Department first enters into a Data Use Agreement with the intended recipient of the Limited Data Set. (See UWM s recommended Data Use Agreement.) 2. Definition of Limited Data Set A Limited Data Set is PHI that excludes the following direct identifiers of the patient, or of relatives, employers, or household members of the patient: a. Names; b. Postal address information, other than town or city, state, and zip code; c. Telephone numbers; d. Fax numbers e. addresses; f. Social security numbers; g. Medical record numbers; h. Health plan beneficiary numbers; i. Account numbers; j. Certificate/license numbers; k. Vehicle identifiers and serial numbers, including license plate numbers; l. Device identifiers and serial numbers; m. URLs; n. Internet protocol address numbers; o. Biometric identifiers (e.g. fingerprints, DNA); and p. Full face photographic images and any comparable images. PAGE 13

16 K. Accounting Disclosures of PHI (45 C.F.R , 42 U.S.C ) Covered Departments and Business Associates have an obligation to maintain (and patients have the right to request, pursuant to Section L. 5. below) an "accounting of disclosures," which is a listing of certain disclosures of a patient's health information made by the Covered Department or its Business Associates to anyone outside of that Department since April 14, 2003, or during the preceding 6 years, which ever period is shorter. 1. Disclosures Included in an Accounting The following disclosures must be included in an accounting: a. Disclosures for research that were not made pursuant to a patient authorization as described in Section G of this Manual (e.g., a disclosure made for a study in which the need for individual authorizations was waived by a UWM privacy board); b. Disclosures made for health oversight activities, such as those made to licensing or accreditation boards; c. Certain types of disclosures made to government agencies (for example, disclosures made to Milwaukee County or the Department of Health and Human Services for accountings or disclosures made to government authorities concerning abuse or child welfare); d. Disclosures made for law enforcement purposes (for instance, disclosures regarding evidence of a crime); e. Disclosures made for judicial or administrative hearings (e.g., a disclosure made pursuant to a subpoena); f. Uses and disclosures regarding decedents, including uses and disclosures for donation purposes or to funeral directors; g. Unlawful and/or unauthorized disclosures; and h. Where the Covered Department uses electronic health records, disclosures made to carry out treatment, payment and health care operations, but only during the preceding 3 years. 2. Disclosures Excluded from an Accounting The following disclosures should not be included in an accounting: a. Disclosures made to carry out treatment, payment and health care operations, but only if the Covered Department does NOT use electronic health records; b. Disclosures made to the patient; c. Disclosures made pursuant to a patient authorization as described in Section G of this manual; d. Disclosures made for national security or intelligence purposes; e. Disclosures made to correctional institutions or law enforcement officials about a person in their custody; f. Disclosures for the Covered Department's directory or other notification purposes; g. Disclosures made for the creation of a Limited Data Set (see Section J above); or PAGE 14

17 h. Disclosures that are incidental to otherwise permissible disclosures. 3. Accounting Methodology The accounting for each disclosure (other than a disclosure involving a research study utilizing data from more than 50 patients) must include: a. The date of the disclosure; b. The name of the entity or person who received the PHI and, if known, the address of that entity or person; c. A brief description of the information disclosed; and d. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for that disclosure. If the Covered Department has made multiple disclosures to the same person or entity for a single purpose, the accounting may, with respect to those disclosures, provide: a. The information required above; b. The frequency or number of disclosures made during the accounting period; and c. The date of the last such disclosure during the accounting period. The Office of Legal Affairs recommends that Covered Departments track those disclosures that might be included in an accounting. (See UWM s recommended Accounting of Disclosures Log.) 4. Accounting Methodology for Research Studies Encompassing More than 50 Patients L. Patient Rights If the patient information was disclosed pursuant to a study using health information of more than 50 patients, the accounting requirement can be met by providing individuals with the following information: a. The name of the research study; b. A plain-language description of the research; c. A brief description of the type of PHI used; d. The time period during which the disclosures occurred for the research study; e. The name, address and telephone number of the entity sponsoring the research, if applicable; and f. The name, address and telephone number of the researcher. If the study in question used health information from 50 or fewer patients, it must be documented using the methodology outlined in paragraph 2 above. 1. Requesting Restrictions on the Use of PHI (45 C.F.R (a), 42 U.S.C ) PAGE 15

18 Patients of Covered Departments may request restrictions on the use and disclosure of their Protected Health Information: To carry out treatment, payment or health care operations; To people involved in the patient s care or for notification purposes; and/or To health plans for the purposes of payment or health care operations, if the patient has paid in full for the related product or service. a. Making the Request Patients should make a request for restrictions in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request. b. Response to the Request The Privacy Officer is not required, in the first two instances described above, to agree to such requests for a restriction on use or disclosures, and such requests should be granted only in rare instances where a restriction is necessary to protect the patient. If the request is granted, however, the Covered Department may not use or disclose Protected Health Information in violation of the request unless the information is needed for emergency treatment of the individual. Note that a Covered Entity must agree to a request not to send PHI to a health plan for purposes of payment or health care operations if the individual has paid in full for the related product or service. c. Timeliness of Denial The Privacy Officer must notify the patient making the request of a denial of the request, in writing and with the reasons for the denial, prior to or at the time of his or her visit to the Covered Department. d. Maintaining the Request for Restrictions in the Patient s Records Requests for restrictions must be maintained with the responses to such requests in the patient s medical record for a minimum of six (6) years. e. Terminating the Restriction Once granted, a restriction may be terminated only if: (1) The patient requests the termination in writing; PAGE 16

19 (2) The patient orally agrees to termination and this is documented in the patient s medical record and communicated to the Privacy Officer; OR (3) The patient is informed that the restriction is being terminated, in which case the termination will apply only to Protected Health Information created or received after notification of the termination. 2. Receiving Confidential Communications (45 C.F.R (b)) Patients of Covered Departments may request receipt of communications of Protected Health Information by alternate means or at alternate locations. a. Making the Request Patients should make a request for alternate communications in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request. b. Response to the Request The Privacy Officer and/or Covered Department must accommodate reasonable requests if the individual clearly states that the disclosure could endanger the individual, and the individual: (1) Designates how payment will be handled (if applicable); and (2) Specifies an alternate address or means of contact. The patient may not be asked for an explanation or basis for the request. c. Maintaining the Request for Confidential Communications Requests for confidential communications should be maintained with the responses to such requests in the patient s medical record for a minimum of six (6) years. 3. Inspecting and Copying Records (45 C.F.R , 42 U.S.C ) Patients of Covered Departments have the right to inspect and obtain a copy of their Protected Health Information. a. Making the Request Patients should make a request to inspect and/or obtain a copy of their Protected Health Information in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request. PAGE 17

20 b. Records Format In the event that a Covered Department uses or maintains a copy of the requested information electronically, it must be provided in the electronic form or format requested if it is readily producible. If it is not readily producible, the Covered Department must offer to produce it in at least one readable electronic format as agreed to by the Covered Department and the individual. The patient may also direct the Privacy Officer to transmit a copy of the information in electronic format to any other entity or person, provided that the request is clear and specific. c. Verification of Identity The Privacy Officer must obtain verification of the requestor s identity before granting access to the record. d. Timeliness e. Fees A patient s request for access must be acted upon as soon as reasonably possible, but in no event more than thirty (30) days after the Privacy Officer receives the request. A one-time thirty (30) day extension is available if the Covered Entity provides written notice of the extension to the patient /requesting party and the notice contains an explanation of the reason for delay and expected date of completion. A Covered Department may charge a fee for the actual and direct costs of locating and copying the records. The charges should be consistent with the fees established under UWM s Policy on Public Records Access, S-45. In the event that the information is provided upon request in electronic format, the fee shall not be greater than the Covered Department s labor costs in responding to the request. f. Denial A patient may be denied access under the following limited circumstances, in writing, upon prior approval by the Office of Legal Affairs: (1) Legal Information The information was compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action or proceeding. (2) Inmate Information A copy of the information has been requested by an inmate and providing a copy would jeopardize the health or safety of the PAGE 18

21 patient, other inmates, or persons at the inmate s correctional institution. (3) Research The information was created or obtained in the course of research that includes treatment, the research is still in progress, the patient agreed to the denial of access when consenting to participate in the research, and the patient has been informed that the right of access will be reinstated upon completion of the research. (4) Information from Other Source The information was obtained from someone other than a health care provider under a promise of confidentiality and access would likely reveal the source of the information. (5) Endangerment to Health or Safety Providing access to the information to the patient or the patient s personal representative is reasonably likely to endanger the health or safety of the patient or another person. (6) Reference to Another Person The information refers to another person and access is reasonably likely to cause substantial harm to the other person. (7) Psychotherapy Notes The information consists of psychotherapy notes and the patient has not obtained either (a) written approval of the access by the patient s treating professional; or (b) a court order authorizing access. g. Review of Denial for Certain Reasons A patient has the right to request a review of a denial based on subparagraphs (5) and (6) above. The Privacy Officer should contact the Office of Legal Affairs to discuss the arrangements for such a review. h. Maintaining the Request for Inspection or Copying Requests for inspection or copying should be maintained with the responses to such requests in the patient s medical record for a minimum of six (6) years. 4. Amending Records (45 C.F.R ) PAGE 19

22 Patients of Covered Departments may request an amendment of their Protected Health Information maintained by a Covered Department. a. Making the Request Patients should make a request for an amendment of their Protected Health Information in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request. b. Verification of Identity The Privacy Officer must obtain verification of the requestor s identity before considering an amendment to the record. c. Timeliness A patient s request for an amendment must be acted upon as soon as reasonably possible, but in no event more than sixty (60) days after the Privacy Officer receives the request. d. Responding to the Request The Privacy Officer may respond to the request by: (1) Accepting the Amendment If the amendment is accepted, in whole or in part, the Privacy Officer and/or Covered Department must: (a) (b) (c) (d) Make the accepted amendment; Inform the patient in writing that the amendment or partial amendment is accepted; Obtain the patient s identification of relevant persons with whom the Covered Department needs to share the amendment (i.e. persons or Business Associates that have the Protected Health Information that is the subject of the amendment) and agreement that the Covered Department may do so; and Make reasonable efforts to so inform such persons. (2) Denying the Amendment If the amendment is denied, in whole or in part, the Privacy Officer and/or Covered Department must: (a) Inform the patient in writing of the denial or partial denial, with reasons; PAGE 20

23 (b) Permit the patient to submit a written statement disagreeing with the denial; and i. If the patient has submitted a written statement disagreeing with the denial, append to the applicable record the request, the denial, and the patient s response to the denial; ii. If the patient has not submitted a written statement disagreeing with the denial, append to the applicable record the request and the denial only if the patient so requests. (c) The Privacy Officer and/or Covered Department may also prepare a written rebuttal to the patient s response to the denial, which then should also be appended to the record. e. Maintaining the Request for Amendment in the Patient s Records Documentation of the amendment process as described above, must be maintained in the patient s medical record for a minimum of six (6) years. 5. Requesting an Accounting of Disclosures (45 C.F.R , 42 U.S.C ) Patients may request an accounting of disclosures, maintained pursuant to Section K above. a. Making the Request Patients should make a request for an accounting in writing and direct it to the Privacy Officer for the Covered Department. The Privacy Officer for the Covered Department is responsible for responding to the request. b. Responding to the Request/Timeliness The Privacy Officer must act on an individual's request for an accounting no later than 60 days after the receipt of such a request in one of two ways: (1) The Privacy Officer may provide the individual with the accounting requested; OR (2) The Privacy Officer may exercise a one-time 30-day extension of the 60-day deadline, provided that within the initial 60 days the individual is provided with a written statement of the reasons for the delay and the date by which the accounting will be provided. Privacy Officers must include, in the accounting provided, either the disclosures made by Business Associates of the Covered Department or a PAGE 21

24 c. Fees list of the Covered Department s Business Associates and contact information, so that the individual may make a request for an accounting directly to those Business Associates. The Privacy Officer must provide the first accounting to a particular individual within any 12-month period without charge. For any further request in a 12-month period, the Privacy Officer may charge a reasonable, cost-based fee, but only if the Privacy Officer informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request in advance to avoid or reduce the fee. d. Retention of Accountings Submitted to Patients The Privacy Officer must retain copies of any accountings submitted to an individual patient pursuant to an accounting request. 6. Complaints (45 C.F.R (d)) Any individual who believes the rights granted by these policies and procedures, the HIPAA privacy regulations, or by any other state or federal law concerning confidentiality or privacy have been violated may file a complaint regarding the alleged privacy violation. a. Procedure Privacy-related complaints must be forwarded to the Covered Department's Privacy Officer. (See UWM's recommended Complaint Report Form.) The Privacy Officer shall investigate all complaints received. The Privacy Officer shall make a recommendation for a response and corrective action, if applicable, to the Dean or Division Head of the school, college, or division in which the Covered Department is located, with a copy to the Office of Legal Affairs. The Dean shall make a decision on any corrective action with respect to the Covered Department s procedures and practices. If the Dean believes that the circumstances warrant discipline of an employee, the Dean shall follow the applicable disciplinary processes for that employee. The Privacy Officer shall document the complaint, the investigation, and any responsive or corrective action. b. Response to the Complainant The Privacy Officer shall provide a written response to the complainant within 30 days from the date of his or her receipt of the complaint, describing briefly the factual findings, and if applicable, the extent of corrective action. PAGE 22