North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

Similar documents
Effective Date: 08/2013

UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD USE OF PROTECTED HEALTH INFORMATION WITHOUT SUBJECT AUTHORIZATION

UBMD Policy for HIPAA Compliant Subject Recruitment

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

EVMS Medical Group A. RESEARCH USE AND OR DISCLOSURE WITHOUT AUTHORIZATION:

Limited Data Set Data Use Agreement For Research

Title: HP-53 Use and Disclosure of Protected Health Information for Purposes of Research. Department: Research

ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Human Research Protection Program (HRPP) HIPAA and Research at Brown

Executive Policy, EP HIPAA. Page 1 of 25

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

Texas Tech University Health Sciences Center HIPAA Privacy Policies

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

City and County of San Francisco Department of Public Health DPH Health Information Data Use Agreement

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH

HILLSBOROUGH COUNTY HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) PROCEDURES

7 ATLzr UNIVERSITY OF CALIFORNIA. January 30, 2014

Application for Approval of Projects Which Use Human Subjects

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

HIPAA Compliance Guide

HIPAA Insurance Portability Act HIPAA. HIPAA Privacy Rule - Education Module for Institutional Review Boards

UCLA Health System Data Use Agreement

UPMC POLICY AND PROCEDURE MANUAL

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

HIPAA COMPLIANCE. for Small & Mid-Size Practices

University of Mississippi Medical Center Data Use Agreement Protected Health Information

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

Secondary Use of Data and Specimens

RELEASE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR RESEARCH PURPOSES

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

~Cityof. ~~Corpu~ ~.--=.;: ChnstI City Policies HR29.0 NO.

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

104 Delaware Health Care Claims Database Data Access Regulation

Data and Specimen Repositories

HIPAA and Research at UB

1. Does the plan exist for purposes of providing or paying for the cost of medical care?

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Standards for Privacy of Individually Identifiable Health Information

COLUMBIA UNIVERSITY MEDICAL CENTER INSTITUTIONAL REVIEW BOARD (IRB)

This form cannot act as an authorization to assign commissions. Appointment Form Only. Steps to obtain an Appointment:

University of Wisconsin Milwaukee

New HIPAA-HITECH Proposed Regulations Issued

To: Our Clients and Friends January 25, 2013

HIPAA Policy 5032 Statement of Policy on Use and Disclosure of Protected Health Information for Research Purposes

HIPAA Privacy & Security Considerations Student Orientation

HARVARD CATALYST DATA USE AGREEMENT FOR LIMITED DATA SETS

USE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR MARKETING PURPOSES

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

PRIVACY IMPLEMENTATION HANDBOOK PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE

HIPAA: What Researchers Need to Know

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

Effective Date: 4/3/17

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Privacy Rule Policies and Procedures

The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees

HIPAA s Medical Privacy Standards:

Upper Bay Counseling & Support Services, Inc. (Administration)

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

Health Insurance Portability and Accountability Act Category: Administration 04/30/2015 Vice President for Legal Prior Effective Date:

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

1.) The Privacy Rule (Part 164, Subpart E)

UNIVERSITY POLICY. Access of Individuals to Their Protected Health Information. Adopted: 01/23/2003 Reviewed: 3/11/2016

State Farm Insurance Companies Flexible Compensation Plan for U.S. Employees. Summary Plan Description

(a) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Highlights of the Omnibus HIPAA/HITECH Final Rule

Project Number Application D-2 Page 1 of 8

Cover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name

Health Insurance Portability and Accountability Act (HIPAA) West Virginia State Government Covered Entity Survey

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Fifth National HIPAA Summit West

COMPLIANCE DEPARTMENT. LSUHSC-S Louisiana State University Health Sciences Center Shreveport ACKNOWLEDGEMENT RECEIPT

SENATE BILL 954 CHAPTER. Medical Records HIPAA Consistency Act of 2012 Enhancement or Coordination of Patient Care

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

UNIVERSITY POLICY. Adopted: 11/1/2016 Reviewed: 11/1/2016. Revised: Contact:

DUA Toolkit. A guide to Data Use Agreements in the HMO Research Network

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

NOTICE OF PRIVACY PRACTICES

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

Managing Information Privacy & Security in Healthcare. When an Authorization is Required

HIPAA Policy Minimum Necessary Use December 1, 2015

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Privacy Regulations HIPAA-Administrative Simplification Internal Assessment

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA Privacy Rule and Research

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA Privacy Procedure #13

Transcription:

North Shore LIJ Health System, Inc. Facility Name POLICY TITLE: HIPAA Marketing and Sale of Protected Health Information Policy ADMINISTRATIVE POLICY AND PROCEDURE MANUAL POLICY #: 800.43 System Approval Date: 1/21/16 Site Implementation Date: Prepared by: Office of Corporate Compliance CATEGORY: Effective Date: 8/15/13 Last Reviewed/Revised: 8/15/13 Superseded Policy(s)/#: GENERAL STATEMENT of PURPOSE To establish requirements for using Protected Health Information ( PHI ) for Marketing purposes and for selling PHI. POLICY The Health Insurance Portability and Accountability Act ( HIPAA ) Privacy Rule prohibits the North Shore LIJ Health System ( Health System ) from using PHI to send promotional communications paid for by third parties, except for refill reminders for which the Health System receives a cost-based fee. PHI will be used or disclosed for Marketing (as defined below) purposes only as specified in the process outlined below and as permitted by HIPAA. The Health System will not sell PHI, except as permitted by HIPAA. Note: Marketing activities that do not involve uses or disclosures of PHI are not subject to HIPAA privacy regulations. SCOPE This policy applies to faculty at any Health System facility and all members of the Health System workforce including, but not limited to, employees, medical staff, volunteers, students, physician office staff, and other persons performing work for or at Health System including faculty of the Hofstra-North Shore-LIJ School of Medicine conducting research on behalf of the School of Medicine and all entities, employees, and providers of the North Shore-LIJ Health Insurance Organization. This policy is intended to apply to both patients of the Health System and members of the North Shore-LIJ insurance and health plans where applicable. DEFINITIONS Protected Health Information or PHI : Any oral, written or electronic individually identifiable health information collected or stored by a facility. Individually identifiable health information includes demographic information and any information that relates to the past, Page 1 of 5 800.43 1/21/2016

present or future physical or mental condition of an individual. HIPAA details eighteen items that render PHI identifiable: 1. Names; 2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code in certain situations; 3. All elements of date (except year) for dates directly related to an individual, including birth date, discharge date, date of death; and all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. Telephone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers; 13. Medical Device Identifiers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code. Marketing: Marketing is defined by HIPAA as making a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service (with the exception of the communications listed below), or an arrangement between the Health System and any other entity where the Health System discloses PHI in exchange for direct or indirect payment so that the other entity can make a communication about its own product or service that encourages the recipient of the communication to use or purchase that product or service. The following communications are specifically excepted from the definition of Marketing, so long as the Health System does NOT receive financial remuneration in exchange for making the communication: Communication for treatment, including case management or care coordination, or to direct or recommend alternative treatments, therapies, providers or settings of care; or Communication to describe a health-related product or service provided by the Health System. In addition, the following are NOT considered Marketing : Face-to-face communications with the patient by the Health System, its providers and/or workforce; Page 2 of 5 800.43 1/21/2016

Promotional gifts of a nominal value given to the patient by the Health System, its providers and/or workforce; and Refill reminders or other communications about a drug or biologic currently being prescribed for the patient, so long as any financial remuneration received by the Health System for making the communication is reasonably related to the Health System s cost of making the communication. Business Associate (BA): A person or entity that performs certain functions or activities that creates, receives, maintains or transmits PHI on behalf of, or provides services to the Health System and is an external person or entity. Examples of BA functions or activities can include, but are not limited to: claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and software hosting of PHI. Examples of BA services include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. If you have any questions regarding whether a person or entity s function qualifies as a BA, contact the Procurement office. Sale of PHI is defined as a disclosure of PHI by the Health System, or a Business Associate of the Health System, if applicable, where the Health System or its Business Associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. A sale of PHI does NOT include a disclosure of PHI: For public health purposes; For research purposes, where the only remuneration received by the Health System or its Business Associate is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI; For treatment and payment purposes; For the sale, transfer, merger or consolidation of all or part of the Health System and for related due diligence; To or by a Business Associate for activities that the Business Associate undertakes on behalf of the Health System, and the only remuneration provided is by Health System to the Business Associate; To the patient, when requested by the patient; or For any other purpose permitted by the Privacy Rule where the only remuneration received by the Health System or its Business Associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose, or a fee otherwise expressly permitted by law. Page 3 of 5 800.43 1/21/2016

PROCEDURE/GUIDELINES Marketing The Health System must obtain an individual s authorization using a HIPAA-compliant authorization form before using or disclosing the individual s PHI for Marketing purposes. Please contact the Office of the Corporate Compliance if you wish to obtain such an authorization. Sale of PHI The Health System must not sell PHI, unless it obtains a HIPAA-compliant authorization from the individuals who are the subject of the PHI being sold. Please contact the Office of the Corporate Compliance if you wish to obtain such an authorization. Training The Office of Corporate Compliance will provide training on HIPAA on, at least, an annual basis. Sanctions In compliance with HIPAA, violations of this policy will be subject to disciplinary action as outlined in the Human Resources Policy and Procedure Manual and in the Bylaws, Rules and Regulations of the Medical Staff. Document Retention Any documentation generated in compliance with this policy will be retained for a minimum of 6 years from the date of its creation. Questions related to this policy should be directed to the Office of Corporate Compliance. REFERENCES to REGULATIONS and/or OTHER RELATED POLICIES Final HIPAA Omnibus Rule (78 Fed. Reg. 5566) Health Insurance Portability and Accountability Act, 45 CFR Parts 160 and 164 Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5 (Feb. 17, 2009) NS-LIJ Health System Human Resources Policy and Procedure Manual, Part V NS-LIJ Health System Bylaws, Rules and Regulations of the Medical Staff Page 4 of 5 800.43 1/21/2016

CLINICAL REFERENCES ATTACHMENTS FORMS APPROVAL: System P&P Committee 7/25/13; 12/18/15 System PICG/Clinical Operations Committee 8/15/13; 1/21/16 Versioning History: 8/13 Page 5 of 5 800.43 1/21/2016

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback