USE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR MARKETING PURPOSES

Similar documents
Marketing This authorization authorizes marketing activities for which this medical practice will will not receive direct or indirect compensation.

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

RELEASE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR RESEARCH PURPOSES

HIPAA Privacy Release Form

"HIPAA RULES AND COMPLIANCE"

Effective Date: 08/2013

Texas Tech University Health Sciences Center HIPAA Privacy Policies

These restrictions apply to:

UCLA Policy 420: Breaches of Computerized Personal Information

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

AUTHORIZATION TO USE, DISCLOSE, & RELEASE PROTECTED HEALTH INFORMATION

Let s get started with the module HIPAA and Data Sharing.

To: Our Clients and Friends January 25, 2013

ADMINISTRATIVE POLICY & PROCEDURE

CHAPTER 33 HIPAA PRIVACY REGULATIONS

New HIPAA-HITECH Proposed Regulations Issued

HIPAA PRIVACY AUTHORIZATION FORM

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

Client Contract. Client Full Name: Social Security Number: POA/Guardian Name: Phone: Address:

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

INFORMATION FORM. Page 1 of 17

University of Wisconsin-Madison Policy and Procedure

HIPAA Definitions.

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Welcome to Rx Help Centers!

1 Security 101 for Covered Entities

Health Care Compliance Association

Would you like to receive s with special offers from Carolina Vein Center? yes no

Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013

East Alabama Campus Health, L.L.C. d/b/a Auburn University Medical Clinic

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

To inform the UAMS workforce about the requirements for a patient s request to amend medical records or Protected Health Information (PHI).

Trinity Family Physicians

PATIENT REGISTRATION FORM

NOTICE OF PRIVACY PRACTICES

UNIVERSITY OF ARKANSAS SYSTEM

Guidelines for the Release and Retention of Medical Records Revised February 20, 2015

HIPAA MANUAL Whole Child Pediatrics

UBMD Policy for HIPAA Compliant Subject Recruitment

1. INTRODUCTION AND PURPOSE OF THIS DOCUMENT:

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

Name: DOB: SS: Mailing Address: City: State: Zip: Home #: Cell phone #: Martital Status: Address:

Notice of Privacy Practices Linn County Employee Health Care and Health Related Benefits Programs

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

UCLA Health System Data Use Agreement

Health Insurance Portability and Accountability Act (HIPAA) West Virginia State Government Covered Entity Survey

POLICY REGARDING NOTICE OF PRIVACY PRACTICES

AccessCUBICIN Enrollment Form

PRIVACY POLICY. Last Updated: 06/16/2017

COLUMBIA UNIVERSITY MEDICAL CENTER INSTITUTIONAL REVIEW BOARD (IRB)

Christina Agustin, MD Board Certified in Adult Psychiatry 1 Lake Bellevue Drive, Suite 101 Bellevue, WA Phone Fax:

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

BUFFALO ENT SPECIALISTS, LLP

COVERED ENTITY CHARTS

PATIENT INFORMATION FORM

COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

PREMIER SPINE & PAIN CENTER

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Effective Date: March 23, 2016

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

Executive Policy, EP HIPAA. Page 1 of 25

Notice of Privacy Practices

UNIVERSITY POLICY. Adopted: 11/1/2016 Reviewed: 11/1/2016. Revised: Contact:

CREEKSIDE DENTAL REGISTRATION FORM. Please Print PATIENT INFORMATION. Patient s Last Name: First: Middle:

Standards for Privacy of Individually Identifiable Health Information

Occidental Petroleum Corporation

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C.

Robert E. Parker, Ph.D., P.C st Ave S. #101 Normandy Park, WA (206)

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Enrolled. House Bill 2341

Flexible Benefits Plans

Barrett Spinal Care, PC 441 S Muskogee Ave. Tahlequah, OK Notice of Patient Privacy Policy

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

Children s Hospital of Philadelphia SOP 707 Page Effective Date: Title: Requirements for and

HIPPA Research Policy

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

UNIVERSITY POLICY. Access of Individuals to Their Protected Health Information. Adopted: 01/23/2003 Reviewed: 3/11/2016

CMS stands for Centers for Medicare & Medicaid Services within the Department of Health and Human Services.

Varkey Medical LLC NOTICE OF PRIVACY PRACTICES

104 Delaware Health Care Claims Database Data Access Regulation

Patient Registration

TRIPLE C HOUSING, INC.

ACTION ITEM EXECUTIVE SUMMARY

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

HIPAA & The Medical Practice

NATIONAL INVITATIONAL CAMP, INC. AUTHORIZATION FOR USE AND DISCLOSURE OF RECORDS AND INFORMATION

PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

ADKINS CHIROPRACTIC LIFE CENTER 157 KEVELING DRIVE SALINE, MICHIGAN Notice of Patient Privacy Policy

**** Does the above address, match the address on your State Identification Card? Yes No *****

HIPAA Privacy For our Group Customers and Business Partners

Welcome to Thurston Medical Clinic

Consent for Purposes of Treatment, Payment and Healthcare Operations

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Transcription:

USE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR MARKETING PURPOSES PURPOSE The purpose of this policy is to establish guidelines for the release of Protected Health Information( PHI ) for marketing purposes that ensures the privacy of patients as required by the federal Health Insurance Portability and Accountability Act of 1996 (the Privacy Rule ) and California law. This policy applies to the System and David Geffen School of Medicine at UCLA (hereafter referred to as ). DEFINITIONS Protected Health Information or PHI is any individually identifiable health information, in any format, including verbal communications, regarding a patient created as a consequence of the provision of health care. Individually identifiable means that the health or medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual s identity. PHI includes patient billing and health insurance information and applies to a patient s past, current or future physical or mental health or treatment. Electronic Protected Health Information or ephi is PHI that is transmitted by electronic media or is maintained in electronic media. For example, ephi includes all data that may be transmitted over the Internet, or stored on a computer, a CD, a disk, magnetic tape or other media. Personal Information (PI) as used in this policy is an individual s first name or first initial and last name combined with any one of the following: (1) social security number, (2) driver s license number or California identification card number, Page 1 of 9

(3) account number, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account, (4) medical information, or (5) health insurance information. Medical information means any information, in either electronic or physical form, regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, and which may be in the possession of or derived from a health care provider, health care service plan, pharmaceutical company or contractor. Health insurance information means an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records. Medical information and health insurance information for patients are also considered to be PHI. Restricted Information (as defined by UC Policy IS-3, Electronic Information Security) describes any confidential or Personal Information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. This includes Personal Information, PHI and ephi as defined in this section but could also include other types of information such as research data. Workforce means employees, volunteers, and other persons whose conduct, in the performance of their work for, is under the direct control of or the Regents of the University of California, whether or not pays them. The Workforce includes employees, medical staff, and other health care professionals, agency, temporary and registry personnel, and trainees, house staff, students and interns, regardless of whether they are UCLA trainees or rotating through facilities from another institution. Marketing (1) is a communication about a product or service that encourages a recipient of the communication to purchase or use the product or service or (2) is an arrangement between a covered entity and any other entity whereby (a) the covered entity sells or otherwise receives indirect or direct remuneration for disclosing PHI to the other entity; and (b) the other entity or its affiliate(s) uses the PHI to make communication about its own product or service that encourages recipients to purchase or use that product or service. Page 2 of 9

POLICY Except as otherwise permitted in this policy, System and/or its providers must obtain a written authorization from a patient before they may use or disclose the patient s PHI for marketing purposes. This requirement applies to all members of the System workforce and outside entities that carry out marketing activities and functions on the behalf of System and/or its providers. In addition, when System contracts with business associates/consultants to carry out marketing activities on the behalf of System, those entities must enter into a business associate agreement (see: Privacy Policy and Procedure No. 9430, Business Associate Amendments ), pursuant to which they agree to comply with the patient privacy and information security requirements required by law. PROCEDURE I. Use or Disclosure of PHI for Marketing Purposes A. Written Authorization Generally Required. In general, PHI may not be disclosed for marketing purposes without the patient s written authorization. PHI includes Demographic Information, without any accompanying diagnosis or treatment information; so a written authorization must be obtained from the patient even to use the patient s address or phone number for marketing. The requirements for a valid written authorization are discussed in Privacy Policy and Procedure No. 9412, Authorization to Disclose Protected Health Information ( PHI ) and must include, among other things, the name or other specific identification of the persons, or class of persons, to whom System may make the requested use or disclosure. A valid written authorization for marketing must state whether marketing involves direct or indirect payment to System from a third party. A blanket authorization for marketing is not permitted. All valid authorizations signed by the patient for marketing purposes should be forwarded to the Health Information Management Services Department for scanning into the patient s electronic medical record. B. Exceptions to Written Authorization Requirement The following communications are considered to be marketing but do not require patient written authorization: Page 3 of 9

i. A face-to-face communication made by System to an individual (a face-to face encounter does not include, however, a communication by telephone, mail, fax or the internet); or ii. A promotional gift of nominal value provided by System (such as free infant formula samples). C. Activities Must Comply with Other Laws and University Policies. System physicians and staff must be mindful that communications to an individual to recommend, purchase or use a product or service as part of the individual s treatment, case management or care coordination could be considered a violation of other statutes or regulations administered by the Department of Health and Human Services, the Department of Justice or other federal agencies if the provider uses his or her relationship with the individual to systematically market the goods and products of third parties. In addition, University policy prohibits the endorsement of commercial products by the University and its employees. II. What is Not Marketing Health Care Communications The following health care communications do not qualify as marketing provided that System does not receive direct or indirect payment for making the communication: A. Communications for treatment of the individual. B. Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individuals. C. Communications to describe a health-related product or service (or payment for such product or service) that are provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits. Page 4 of 9

Below are examples of communications which would not be considered marketing for purposes of this policy: i. Health education or wellness classes, support groups, health fairs; ii. iii. iv. Mailings reminding women to get an annual mammogram; Communications about government and government-sponsored programs e.g., Medicare supplemental payments and SCHIP; Newsletters, so long as the content does not meet the definition of marketing; and v. Population-based activities to improve health or reduce health care costs. However, in those cases where System does receive direct or indirect payment for health care communication, the communication will still not be considered marketing if one of the following scenarios applies: i. The communication only describes a drug or biologic that has been previously prescribed to the individual, and the payment is determined to be reasonable; ii. iii. The communication is made by a business associate pursuant to a business associate agreement, and the communication does not involve the use of PHI to promote an activity or product of the business associate or another third party; or System makes the communication only after obtaining a valid written authorization from the individual who will receive the communication. III. Methods of Communication When sending a patient a communication that includes protected health information, whether or not for marketing purposes as defined above, UCLA Health System shall send the communication in a manner that protects the patient s privacy. Approved communication methods include, but are not limited to, folded postcards, sealed envelopes, and secured electronic transmission. Page 5 of 9

IV. Requests for Limitations on Use of PHI for Healthcare Communications An individual may request or negotiate limits on the uses and disclosures of PHI for those healthcare communications that are not marketing. All requests for restrictions should be forwarded to the Privacy Office for review. No restrictions should be agreed to without approval from the Privacy Office.. (See: Privacy Policy and Procedure No. 9414, Requests for Special Restriction on the Use or Disclosure of Protected Health Information. ) V. Questions Questions regarding the appropriateness of a particular marketing communication should be directed to System s Director of Marketing or the Privacy Office. REFERENCES Health Insurance Portability and Accountability Act, 45 CFR 160-164 California Medical Information Act, California Civil Code Section 56 et seq. Information Practices Act of 1977, California Civil Code Sections 1798.29 and 1798.82 California Health and Safety Code Sections 1280.15 and 130203 California Lanterman-Petris Short Act ( LPS Act ), University of California HIPAA Uses and Disclosures for Marketing Policy CONTACT Chief Privacy Officer, Compliance Office Chief Information Security Officer, Compliance Office REVISION HISTORY Approved: April 8, 2003 Effective Date: April 14, 2003 Revised Date: May 7, 2007; May 2, 2008, March 31, 2011 Page 6 of 9

APPROVAL Health Sciences Enterprise Compliance Oversight Board Approved 12/11/2010 David Feinberg, MD CEO and Associate Vice Chancellor UCLA Hospital System Randolph Steadman, MD Chief of Staff Ronald Reagan UCLA Medical Center Denise Sur, MD Chief of Staff Santa Monica-UCLA Medical Center and Orthopaedic hospital James J. McGough, MD Chief of Staff Resnick Neuropsychiatric Hospital at UCLA Page 7 of 9

AB HIPAA MARKETING AUTHORIZATION I authorize System to release my protected health information to (specify the name (s), or other identify of the person(s) or class or group of person(s) ): Street Address (If applicable) City, State, Zip Code (If Applicable) Phone Number (If Applicable) PLEASE SPECIFY THE PROTECTED HEALTH INFORMATION YOU AUTHORIZE TO BE RELEASED: Type (s) of health information: Date (s) of treatment: The following information will not be released unless you specifically authorize it by initialing the relevant line(s) below: I specifically authorize the release of information pertaining to drug and alcohol abuse, diagnosis or treatment (42 C.F.R. 2.34 and 2.35). I specifically authorize the release of information pertaining to mental health diagnosis or treatment (Welfare &Institutions Code 5328, et seq.) I specifically authorize the release of HIV/AIDS test results (Health and Safety Code 120980(g)). I specifically authorize the release of genetic testing information (Health and Safety Code 124980(j)). THE PURPOSE OF THE RELEASE OF YOUR PROTECTED HEALTH INFORMATION IS FOR (check one or more): Marketing activities that provide your health information to outside third parties, businesses or companies (see name above) so that they can contact you to sell or promote a product. I understand that System will receive remuneration for this marketing activity will not receive remuneration for this marketing activity. Other(specify) NOTICE: System and many other organizations and individuals such as physicians, hospitals and health plans are required by law to keep your health information confidential. If you have authorized the disclosure of your health information to someone who is not legally required to keep it confidential, it may be subject to redisclosure and may no longer be protected by state or federal confidentiality laws. This Authorization to release health information is voluntary. You are not required to sign this authorization in order to receive treatment, for payment of your care, or for enrollment in a health plan or eligibility for benefits. This Authorization may be revoked at any time. The revocation must be in writing, signed by you or your patient representative, and delivered to:. The revocation will Page 8 of 9

take effect when System receives it, except to the extent System or others have already relied on it. You are entitled to receive a copy of this Authorization. Unless otherwise revoked, this Authorization expires on. If no date is indicated, the Authorization will expire 5 years after the date of your signing this form. Print Name Signature (Patient, Parent, Guardian) Date/Time Relationship to Patient (Parent, Guardian, Witness (if patient unable to sign) Phone Number Conservator, Patient Representative) or Interpreter Mailing Address: Page 9 of 9

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback