UNIVERSITY POLICY. Access of Individuals to Their Protected Health Information. Adopted: 01/23/2003 Reviewed: 3/11/2016

Similar documents
UNIVERSITY POLICY. Adopted: 11/1/2016 Reviewed: 11/1/2016. Revised: Contact:

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

Individuals Right under HIPAA to Access their Health Information 45 CFR

Alfred University Effective Date: January 1, 2019

Business Associate Agreement

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

W. Reece Hirsch Davis Wright Tremaine LLP (415) (206)

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

SUMMARY OF PRIVACY PRACTICES

Kay Concrete Materials, Inc.

Sample Privacy Notice

HIPAA MANUAL Whole Child Pediatrics

Individuals Right under HIPAA to Access their Health Information 45 CFR

HIPAA AUDIT TOOLKIT. A complimentary excerpt from Davis Wright s audit toolkit Davis Wright Tremaine. dwt.com

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

SUMMARY OF NOTICE OF PRIVACY PRACTICES. Your rights related to your medical information are as follows:

39. PROTECTED HEALTH INFORMATION POLICY

Limited Data Set Data Use Agreement For Research

Individuals Right under HIPAA to Access their Health Information 45 CFR

Highlights of the Omnibus HIPAA/HITECH Final Rule

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

Business Associate Agreement For Protected Healthcare Information

Definitions: Policy: Procedure:

Compliance Steps for the Final HIPAA Rule

Effective Date: March 23, 2016

To inform the UAMS workforce about the requirements for a patient s request to amend medical records or Protected Health Information (PHI).

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

HIPAA Notice of Privacy Practices

TRIPLE C HOUSING, INC.

MICHIGAN HEALTHCARE PROFESSIONALS, P.C.

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Effective Date: 08/2013

HIPAA Policy Minimum Necessary Use December 1, 2015

University of Wisconsin Milwaukee

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

"HIPAA RULES AND COMPLIANCE"

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

DEPARTMENT OF VERMONT HEALTH ACCESS GENERAL PROVIDER AGREEMENT

To: Our Clients and Friends January 25, 2013

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

EASTERN KENTUCKY UNIVERSITY HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

New HIPAA-HITECH Proposed Regulations Issued

Texas Tech University Health Sciences Center HIPAA Privacy Policies

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Occidental Petroleum Corporation

Executive Policy, EP HIPAA. Page 1 of 25

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HIPAA BUSINESS ASSOCIATE AGREEMENT

HHS, Office for Civil Rights. IAPP October 11, 2012

Sponsored by Catholic Health Ministries

CREEKSIDE DENTAL REGISTRATION FORM. Please Print PATIENT INFORMATION. Patient s Last Name: First: Middle:

UNIVERSITY OF WYOMING STUDENT HEALTH SERVICE NOTICE OF PRIVACY PRACTICES

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C.

Managing Information Privacy & Security in Healthcare. When an Authorization is Required

Omnibus Rule: HIPAA 2.0 for Law Firms

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

SCHOOLS SELF-INSURANCE OF CONTRA COSTA COUNTY NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Rule Policies and Procedures

MANCHESTER UROLOGY ASSOCIATES, PA Derry Manchester Dover

The Arc of Florida will verify the availability of dental insurance coverage AND ibudget Waiver funding for all scholarship applicants.

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

4900 MERCER UNIVERSITY DR. SUITE 1 MACON, GA Phone: Fax:

Summary of HIPAA Privacy Rule

INDEPENDENCE BLUE CROSS LONG TERM CARE PROGRAM NOTICE OF PRIVACY PRACTICES

Compliance Steps for the Final HIPAA Rule

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

Highlights of the Final Omnibus HIPAA Rule

NOTICE OF PRIVACY PRACTICES SOUTH DAYTON ACUTE CARE CONSULTANTS, INC.

Important Notices About Your Benefits

1.) The Privacy Rule (Part 164, Subpart E)

Getting a Grip on HIPAA

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

BREACH NOTIFICATION POLICY

Uses and Disclosures of Medical Information

NOTICE OF PRIVACY PRACTICES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION

1. INTRODUCTION AND PURPOSE OF THIS DOCUMENT:

and disclosure of your PHI for treatment, payment, and health care operations

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

COBRA Setup Fact Sheet for Oswald agent

NOTICE OF PRIVACY PRACTICES

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

NOTICE OF PRIVACY PRACTICES

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

Transcription:

UNIVERSITY POLICY Policy Name: Access of Individuals to Their Protected Health Information Section #: 100.1.4 Section Title: HIPAA Policies Approval Authority: Responsible Executive: Responsible Office: RBHS Chancellor/Executive Vice President for Health Affairs Senior Vice President and Chief Enterprise Risk Management, Ethics and Compliance Officer Office of Enterprise Risk Management, Ethics and Compliance Formerly Book: 00-01-15-10:00 Adopted: 01/23/2003 Reviewed: 3/11/2016 Revised: 06/22/2011; 7/1/2013; 3/11/2016 Contact: Office of Enterprise Risk Management, Ethics and Compliance: 973-972-8093 1. Policy Statement This policy covers the rights of patients to inspect and to obtain a copy of Protected Health Information (PHI) contained in the patients designated record set. This policy applies to: I. The Rutgers Covered Entity and Covered Components within that entity including faculty, employees, students, volunteers, trainees, and other persons whose conduct, in the performance of work for Rutgers and/or its units, is under the direct control of such Entity, whether or not they are paid by Rutgers. I IV. Any Rutgers University workforce member of any Rutgers school, unit or department that bills federal and/or state programs for the provision of medical care to patients, or engages in human subject research sponsored by federal, state or private programs. Any Business Associate, independent contractor or other vendor providing services engaged by the Rutgers Covered Entity. Other University departments that assist the Rutgers Covered Entity in certain activities including, but not limited to the Office of Enterprise Risk Management, Ethics and Compliance, the Office of Information Technology and the Office of the Senior Vice President and General Counsel. 2. Reason for Policy To establish a policy to ensure that all components within the Rutgers Covered Entity comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the HITECH Act (2009) and the Omnibus Rule (2013), in providing an individual the right of access to inspect and to obtain a copy of Protected Health Information (PHI) about the individual in a designated record set. 3. Who Should Read this Policy I. This policy applies to and should be read by: The Rutgers Covered Entity and Covered Components within that entity including faculty, employees, students, volunteers, trainees, and other persons whose conduct, in the performance of work for Rutgers and/or its units, is under the direct control of such Entity, whether or not they are paid by Rutgers. Page 1 of 6

I IV. Any Rutgers University workforce member of a Rutgers school, unit or department that bills federal and/or state programs for the provision of medical care to patients. Any Rutgers University workforce member of any Rutgers school, unit or department that engages in the provision, coordination, or management of health care and related services. Any business associate, independent contractor or other vendor providing services engaged by the Rutgers Covered Entity. V. University departments that assist the Rutgers Covered Entity in certain activities including, but not limited to the Office of Enterprise Risk Management, Ethics and Compliance, the Office of Information Technology and the Office of the Senior Vice President and General Counsel. 4. Resources I. 45 CFR 164.524, Title 45, Code of Federal Regulations, Part 164, Section 524, Security and Privacy, Access of Individuals to Protected Health Information I 45 CFR 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule January 25, 2013 Privacy Act, 5 U.S.C. 552a The following policies provide additional and related information: IV. Standards for Privacy of Individually Identifiable Health Information, Policy 100.1.9 V. Uses and Disclosures of Health Information with and Without an Authorization, Policy 100.1.1 5. Definitions I. Protected Health Information (PHI): Protected health information means individually identifiable health information that relates to the past, present or future physical or mental health condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. A. Except as provided in paragraph two (2) of this definition that is: a) transmitted by electronic media; b) maintained in electronic media; or c) transmitted or maintained in any other form or medium. B. Protected Health Information excludes individually identifiable health information in: a) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; b) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and c) Employment records held by a covered entity in its role as employer. C. Relevant individually identifiable health information of deceased individuals should be considered active PHI for 50 years after death. Business Associates(BA): A business associate is any organization (an individual person can be an organization, e.g. an independent consultant) that creates, receives, maintains, or transmits PHI on behalf of a covered entity (CE) including but not limited to the following functions: A. A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice Page 2 of 6

management and re-pricing; or B. Any other function or activity regulated by HIPAA regulations; or C. Provides legal, actuarial, accounting, auditing, consulting, data aggregation (as defined in CFR 164.501), management, administrative, accreditation, or financial services to or for Rutgers and/or its units, or to and/or for an organized health care arrangement in which Rutgers and/or its units participate, where the provision of the service involves the disclosure of individually identifiable health information from such entities or arrangement, or from another business associate of such entities or arrangement, to the person. I IV. Workforce: Faculty, employees, students, volunteers, trainees, and other persons whose conduct, in the performance of work for Rutgers and/or its units, is under the direct control of the Rutgers Covered Entity, whether or not they are paid by Rutgers. HITECH ACT (2009): Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) that was enacted on February 17, 2009. V. HIPAA Omnibus Rule (2013): Enhancements to the HIPAA Privacy, Security, Enforcement and breach notification rules under HITECH and GINA. 45 CFR parts 160 and 164. See Federal Register, Vol 78 (17), Friday, January 25, 2013. VI. V Covered Entity (CE): Either (1) A health care provider, (2) a health plan or (3) a health care clearinghouse who transmits any health information in electronic form in connection with a transaction covered by 45 CFR 160.103. Covered Entities must comply with HIPAA regulation, including the HITECH Act (2009), the Omnibus Rule (2013) and related state and federal law. Rutgers Covered Entity: The collective term referring to all units, schools or departments that meet the definition of a Covered Entity as put under 45 CFR 160.103 and are required to follow HIPAA regulation, including the HITECH Act (2009), the Omnibus Rule (2013) and related state and federal law. VI Rutgers Covered Component: Refers to a single unit, school or department within the Rutgers Covered Entity. 6. The Policy The Rutgers Covered Entity through its Workforce must provide a patient/individual with the right of access to inspect and obtain a copy of PHI pertaining to the individual in a designated record set as long as the record is maintained by the Rutgers Covered Entity. The Rutgers Covered Entity requires patients/individuals to make requests for access in writing. A copy of the Request for Access to Protected Health Information form may be accessed through the Office of Enterprise Risk Management, Ethics and Compliance website. A. Requirements: 1. The Rutgers Covered Entity must provide access to inspect and obtain a copy of an individual s PHI, except for: a. Psychotherapy notes b. Information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding c. PHI maintained by the Rutgers Covered Entity that is subject to Clinical Laboratory Improvements Act (CLIA) amendments of 1988 to the extent that CLIA would prohibit an individual s access to the information in question. Page 3 of 6

2. The Rutgers Covered Entity may deny an individual access without providing the individual an opportunity for review in the following circumstances (Unreviewable Grounds for Denial): a. The PHI is the subject of one of the items in Requirements Section A1 above. b. The PHI was created or obtained by a covered health care entity in the course of research that includes treatment, provided that the individual had agreed to the denial of access at the time consent was given by the individual for participation in the research. In this instance, the right of access for PHI is temporarily suspended and will be reinstated upon the completion of the research. c. The PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. d. The PHI contained in records subject to the Privacy Act, 5 U.S.C. 552a, if the denial of access under the Privacy Act would meet the requirements of that law. e. The PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would reasonably be likely to reveal the source of the information. f. A covered entity that is also a correctional institution or a covered health care provider acting under the direction of a correctional institution may deny, in whole or in part, the PHI if such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate. 3. The Rutgers Covered Entity may deny an individual access providing the individual is given a right to have such denial reviewed by a licensed health care professional who is designated by the Rutgers Covered Entity to act as a reviewing official and who did not participate in the original decision to deny in the following circumstances (Reviewable Grounds for Denial): a. A licensed health care professional has determined that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person. b. The PHI makes reference to another person and a licensed health care professional makes the determination that the access requested is reasonably likely to cause substantial harm to such other person. c. The request for access is made by the individual s personal representative and a licensed health care professional makes the determination that the provision of access to the personal representative is reasonably likely to cause substantial harm to the individual or another person. B. Responsibilities: 1. The Rutgers Covered Entity must act on requests to access PHI within thirty (30) days after receipt of request. If the request is for PHI not maintained or accessible to the Rutgers Covered Entity on site, the Rutgers Covered Entity must take action by no later than sixty (60) days from the receipt of such a request. However, the Rutgers Covered Entity must provide a written statement of the reasons for the delay and the date by which the Rutgers Covered Entity will complete its action on the request. No other time extensions will be granted in excess of sixty (60) days. Page 4 of 6

2. If any component of the Rutgers Covered Entity grants the request to access the PHI, in whole or in part, the Rutgers Covered Component must inform the individual of the acceptance of the request and provide the access requested by: a. Providing the access requested The Rutgers Covered Component must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the PHI in designated record sets. If the same PHI that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the Rutgers Covered Entity need only produce the PHI once in response to a request for access. b. Form of access requested i. Must provide the individual with access to the PHI in the form or format requested by the individual. If the PHI that is the subject of a request is maintained electronically and if the individual requests an electronic copy of such information, the Rutgers Covered Entity must provide the individual access to the PHI in an electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the individual and the Rutgers Covered Entity. ii. May provide the individual with a summary of the PHI requested, rather than access to the PHI, or may provide an explanation of the PHI to which access has been provided, if: The individual agrees in advance to such a summary or explanation. The individual agrees in advance to any fees imposed by the covered entity for such summary or explanation. c. Time and manner of access i. Workforce members of Rutgers Covered Components must provide the access, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the PHI; or mailing the copy of the PHI at the individual s request. Workforce of the Rutgers Covered Components may discuss the scope, format, and other aspects of the request for access with the patient/individual as necessary to facilitate the timely provision of access. ii. If the patient/individual requests a copy of the PHI or agrees to a summary or explanation of information, the Rutgers Covered Component may impose a reasonable cost-based fee, provided that the fee includes only the cost of: Copying the PHI, including the cost of supplies and labor. Postage when the patient/individual requested the copy, summary or explanation to be mailed. Preparing an explanation or summary of the PHI. d. If the Rutgers Covered Component denies the request to access the PHI, in whole or in part, the Rutgers Covered Component must provide the patient/individual with a timely written denial. The denial must be in plain language and contain: i. The basis for the denial; Page 5 of 6

ii. A statement of the individual s review rights, including a description of how the individual may exercise such review rights; and iii. A description of how the individual may file a complaint with the Rutgers Enterprise Risk Management, Ethics and Compliance or to the Department of Health and Human Services (DHHS), pursuant to the compliance procedures. The description must include the name, or title, and telephone number of the Rutgers contact persons or offices. e. If the Rutgers Covered Component does not maintain the PHI that is the subject of the subject/individual s request for access, and the Rutgers Covered Component knows where the requested information is maintained, the Rutgers Covered Component must inform the patient/individual where to direct the request for access. The Rutgers Covered Component must document and retain the following Information: i. The designated record sets that are subject to access by individuals. ii. The titles of the persons or offices responsible for receiving and processing requests for access by individuals. f. If the patient/individual has requested a review of a denial, the Rutgers Covered Entity must promptly designate, and refer the request to a licensed health care professional, who was not directly involved in the denial, to review the decision to deny access. The designated reviewing official, within a reasonable period of time not to exceed 90 days, must determine whether or not to deny the access requested based on the standards put forth in this policy. The Rutgers Covered Entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other actions as required to carry out the designated reviewing official s determination. g. All requests made for access to PHI must be made to the individual designated by the Department Chair, Dean or President/CEO of a Rutgers Covered Component. Page 6 of 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback