UNIVERSITY POLICY. Adopted: 11/1/2016 Reviewed: 11/1/2016. Revised: Contact:

Similar documents
UNIVERSITY POLICY. Access of Individuals to Their Protected Health Information. Adopted: 01/23/2003 Reviewed: 3/11/2016

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Hybrid Entity Policy ISUPP 10010

HIPAA Policy Minimum Necessary Use December 1, 2015

Effective Date: 08/2013

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Children s Hospital of Philadelphia SOP 707 Page Effective Date: Title: Requirements for and

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH

University of Medicine and Dentistry of New Jersey Reports on Federal Awards in Accordance with OMB Circular A-133 June 30, 2013 EIN:

HIPAA AND LANGUAGE SERVICES IN HEALTH CARE 1

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

HIPAA and Research at UB

HIPAA Policy 5032 Statement of Policy on Use and Disclosure of Protected Health Information for Research Purposes

BUSINESS POLICY AND PROCEDURE MANUAL

Executive Policy, EP HIPAA. Page 1 of 25

Project Number Application D-2 Page 1 of 8

RUTGERS POLICY. Policy Name: Signatory Authority Policy, also known as the Signatory Delegation Policy

POLICY FOR THE PROTECTION OF HUMAN SUBJECTS IN RESEARCH

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Upper Bay Counseling & Support Services, Inc. (Administration)

HIPAA Privacy Rule Policies and Procedures

Stanford Blood Center, LLC

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

Limited Data Set Data Use Agreement For Research

University HealthCare Alliance

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Business Associate Agreement

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees

Health Insurance Portability and Accountability Act (HIPAA) West Virginia State Government Covered Entity Survey

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON HIPAA SANCTIONS. Introduction

HIPAA The Health Insurance Portability and Accountability Act of 1996

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

39. PROTECTED HEALTH INFORMATION POLICY

UBMD Policy for HIPAA Compliant Subject Recruitment

ACC Compliance and Ethics Committee Presentation February 19, 2013

Determining Whether You Are a Business Associate

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

USE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR MARKETING PURPOSES

HIPAA Compliance Under the Magnifying Glass

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

NYU LANGONE POLICY ON CONFLICTS OF INTEREST IN BUSINESS AFFAIRS. Issue Date: April 1, 2009 Reissue Date: June 29, Contents: I.

HIPAA: Impact on Corporate Compliance

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

TRAPS, TRICKS & TREPIDATION IN HIPAA & HYBRID ENTITY DESIGNATIONS AT UNIVERSITIES & AMCS

HIPAA Definitions.

HIPAA PRIVACY RULE: WHEN TO OBTAIN AUTHORIZATIONS TO USE AND DISCLOSE PROTECTED HEALTH INFORMATION

HIPAA & The Medical Practice

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

HIPAA and Lawyers: Your stakes have just been raised

NATIONAL RURAL ELECTRIC COOPERATIVE ASSOCIATION GROUP BENEFITS PROGRAM

HIPAA Compliance Guide

RELEASE OF PROTECTED HEALTH INFORMATION ( PHI ) FOR RESEARCH PURPOSES

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

CORPORATE COMPLIANCE: CONFLICT OF INTEREST

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

University of Medicine and Dentistry of New Jersey (A Component Unit of the State of New Jersey) Consolidated Financial Statements

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

OHCAs, ACEs and Hybrid Entities

CHAPTER 33 HIPAA PRIVACY REGULATIONS

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA PRIVACY MONITORING REQUIREMENTS

E-Protocol Document Checklist and GPS IRB Guide - Students

University of Wisconsin-Madison Policy and Procedure

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

2016 Business Associate Workforce Member HIPAA Training Handbook

ELECTRONIC DATA INTERCHANGE TRADING PARTNER AGREEMENT

HIPAA Background and History

University of Medicine and Dentistry of New Jersey (A Component Unit of the State of New Jersey) Consolidated Financial Statements

NOTICE OF PRIVACY PRACTICES

University of Wisconsin-Madison Policy and Procedure

AFTER THE OMNIBUS RULE

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

Occidental Petroleum Corporation

University of Medicine and Dentistry of New Jersey (A Component Unit of the State of New Jersey) Consolidated Financial Statements and Supplementary

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

Omnibus Rule: HIPAA 2.0 for Law Firms

"HIPAA RULES AND COMPLIANCE"

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

BUSINESS ASSOCIATE AGREEMENT

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Compliance Considerations Related To Clinical Trials. Daniel Shapiro Director, Research Compliance

UNIVERSITY OF CALIFORNIA SYSTEMWIDE STANDARDS AND IMPLEMENTATION POLICIES (SYSTEM STANDARDS)

HIPAA COMPLIANCE. for Small & Mid-Size Practices

New HIPAA-HITECH Proposed Regulations Issued

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

University of Medicine and Dentistry of New Jersey (A Component Unit of the State of New Jersey) Consolidated Financial Statements June 30, 2006 and

Transcription:

UNIVERSITY POLICY Policy Name: Hybrid Entity Declaration Section #: 100.1.12 Section Title: HIPAA Policies Approval Authority: Responsible Executive: Responsible Office: RBHS Chancellor/Executive Vice President for Health Affairs. Senior Vice President and Chief Enterprise Risk Management, Ethics and Compliance Officer Office of Enterprise Risk Management, Ethics and Compliance Formerly Book: N/A Adopted: 11/1/2016 Reviewed: 11/1/2016 Revised: Contact: Office of Enterprise Risk Management, Ethics and Compliance: 973-972-8093 1. Policy Statement To define Rutgers University as a hybrid entity under HIPAA regulation, and to designate health care covered components within the Hybrid entity according to Federal Regulation 45 C.F.R. 164.103 and 164.105. 2. Reason for Policy Rutgers University designated healthcare components are subject to University policy guiding adherence to federal privacy and security laws pursuant to the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ),the Health Information Technology for Economic and Clinical Health Act of 2009 (the HITECH Act ), and the 2013 HIPAA Omnibus Rule (collectively, the HIPAA privacy and security standards ). 3. Who Should Read this Policy This policy applies to and should be read by I. Units and functions impacted by the hybrid entity designation, including faculty, employees, students, volunteers, trainees, and other persons whose conduct, in the performance of work for Rutgers and/or its units, is under the direct control of such Covered Health Care Components, whether or not they are paid by Rutgers. II. III. IV. Any independent contractor, business associate or other vendor providing services and engaged by the Rutgers Covered Entity. Any Rutgers University workforce member of any Rutgers school, unit or department that engages in the provision, coordination, or management of health care and related services. Any Rutgers University workforce member of any Rutgers school, unit or department which receives on, transmits by or maintains in electronic media individually identifiable health information for the provision of medical care to patients, health care billing and operations, or engages in human subject research sponsored by federal, state or private programs. V. Other University departments that assist the Rutgers Covered Entities in certain activities including, but not limited to, the Office of Enterprise Risk Management, Ethics and Page 1 of 6

Compliance, the Office of Information Technology and the Office of the Senior Vice President and General Counsel. 4. Resources 45 C.F.R. Parts 160 and Parts 164, including 164.103, 164.105, including Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and Omnibus Rule of 2013. Rutgers University Policy 90.2.11, Policy for Subject Protection and the Institution Review Board Rutgers University Policies - Section 100.1: HIPAA Policies. 5. Definitions I. Business Associates (BA): A business associate is any organization (an individual person can be an organization, e.g. an independent consultant) that creates, receives, maintains or transmits PHI on behalf of a covered entity (CE), including but not limited to the following: A. A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and re-pricing; or B. Any other function or activity regulated by HIPAA privacy and security standards; or C. Provides legal, actuarial, accounting, auditing, consulting, data aggregation (as defined in CFR 164.501), management, administrative, accreditation, or financial services to or for Rutgers and/or its units, or to and/or for an organized health care arrangement in which Rutgers and or its units participate, where the provision of the such service(s) involves the disclosure of Protected Health Information. II. III. IV. Covered Health Care Component(s): A component or combination of components of a hybrid entity designated by the hybrid entity in accordance with 45 C.F.R. 164.105(a)(2)(iii)(C). Those functions or components of a Covered Entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse. Covered Entity (CE): Either (1) a health care provider, (2) a health plan or (3) a health care clearinghouse who transmits any health information in electronic form in connection with a transaction covered by 45 CFR 160.103. Covered Entities must comply with the HIPAA privacy and security standards and related state and federal law. Hybrid Entity: A single legal entity whose business activities include both covered and noncovered functions; and that designates its health care components, documents the designation and establishes appropriate safeguards in accordance with HIPAA between covered and noncovered functions. V. Individually Identifiable Health Information ( IIHI ): Individually identifiable is a subset of health information, including demographic information collected from an individual, and created or received by a health care provider, health plan, employer, or health care clearinghouse; and A. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and B. That identifies the individual; or C. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Page 2 of 6

For purposes of the Privacy Rule, genetic information is considered to be health information if the genetic information can be identified as IIHI. VI. Protected Health Information ( PHI ): Protected health information means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. A. Protected health information includes all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. B. Protected health information received, maintained or transmitted by electronic media is entitled ephi. This policy considers ephi a subset of PHI and includes ephi within the definition of PHI. C. Protected health information excludes individually identifiable health information in: a) education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; b) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and c) employment records held by a covered entity in its role as employer. D. Relevant individually identifiable health information of deceased individuals should be considered active PHI for 50 years after death. VII. Research: HIPAA uses the same definition as recognized by the University, which is the federal Common Rule 45 CFR 46.102(d), a systematic investigation designed to contribute to generalizable knowledge. Under this definition, some demonstration and service programs may include research activities. VIII. Rutgers Covered Entity (RCE): The collective term referring to all units, schools or departments that meet the definition of a Covered Entity under 45 CFR 160.103 and are required to follow the HIPAA privacy and security standards and related state and federal law. IX. Workforce: Faculty, employees, students, volunteers, trainees, and other persons whose conduct, in the performance of work for Rutgers and/or its units, schools, institutes, centers, faculty practice plans, and the like, is under the direct control of such entity(ies), whether or not they are paid by Rutgers. 6. The Policy I. Rutgers University has designated itself a hybrid entity in accordance with 45 C.F.R. 164.103 and 164.105. A. Rutgers University has determined that it performs both covered functions (e.g.: outpatient services, including medical and dental care) and non-covered functions (e.g.: academic departments conducting teaching activities). B. By the adoption and implementation of this policy, Rutgers University designates itself as a hybrid entity. Exhibit A, Declaration as a Hybrid Entity, lists the Rutgers University components, including Business Associate-like division(s), which are designated as part of the covered health care component. C. Documents listing designation for Rutgers University s covered health care components shall be retained for at least six (6) years following any decision to terminate any division or department from the health care components. Designations should be retained indefinitely for on-going health care components. Page 3 of 6

II. III. The process to identify components to be part of the Rutgers Covered Entity ("RCE") is complicated by the fact Rutgers engages in multiple covered functions and non-covered functions with a mission that includes education, health care, and research. Workforce members often have multiple roles, both covered and non-covered. It is recognized that as the University grows, this designation may need to be revisited from time to time. The following criteria are used to determine whether a component or individual workforce member is included in the RCE: A. Health care covered components must include any component that would meet the definition of a covered entity if that component were a separate legal entity. B. Health care or health plan use or disclosure: When the creation, use or disclosure of individually identifiable health information ("IIHI") is carried out by a Rutgers workforce member within the purpose of a health care provider or health plan function, treatment, payment or health care operations, the individual's identifiable health information is defined as PHI, and the HIPAA privacy and security standards apply to those functions and to the workforce members who carry out those functions. Because a covered component is limited in how it can share PHI with a non-covered component, such noncovered component(s) of a hybrid entity may be subject to the HIPAA privacy and security standards and related state and federal law. C. Internal support departments which would require a BAA if the department were a separate legal entity providing services to the RCE. Such departments are required to be part of the covered health care component to the extent necessary. D. A Rutgers component or workforce member that accepts PHI from an outside covered entity, either through a BAA or contractual HIPAA language, is subject to HIPAA requirements. E. A Rutgers component that, or workforce member who, conducts research involving PHI, the determination of which is a fact-sensitive, individualized determination. 1. Research components of a hybrid entity that function as health care providers and conduct certain standard electronic transactions must be included in the hybrid entity s health care component(s) and be subject to HIPAA requirements and regulations. The two key determinants as to whether or not IIHI is PHI are: 1) whether the function is being performed by the health care provider or health plan and 2) the purpose for which an entity or workforce member has received, created or maintained the medical information. Functions and purposes which fall under HIPAA include treatment, payment, or health care operations. 2. The hybrid entity is not permitted to include in its health care component a research component that does not function as a health care provider or does not conduct business associate-like functions. For example, a component that conducts purely records research and is not performing covered or business associate-like functions would not be included in the hybrid entity s health care component. 3. Research components that function as health care providers, but do not conduct electronic transactions may, but are not required to, be included in the health care component(s) of the hybrid entity. For example, if the university has a research laboratory that also functions as a health care provider, but does not engage in Page 4 of 6

specified electronic transactions, the university as a hybrid entity has the option to include or exclude the research laboratory from its health care covered component. 4. IIHI created and/or used solely for research purposes within a Rutgers covered component will be considered PHI, and thus subject to the requirements of HIPAA. 5. IIHI created and/or used by researchers within non-covered components may or may not be subject to HIPAA requirements. a. A researcher within a non-covered component who is not functioning as a health care provider and who creates IIHI, the IIHI is not PHI and is not subject to the privacy and security rules of HIPAA. b. A researcher within a non-covered component who is also a health care provider and who creates IIHI in connection with health care provider activities, the IIHI is PHI subject to HIPAA. In this instance, the research department should be considered to become a permanent part of RCE or part of RCE for the duration of that research. 6. IIHI that is created as PHI and is needed for research purposes may be disclosed to the researcher (the same individual healthcare provider who is also a researcher may disclose PHI to himself or herself in the research role) pursuant to the IRB approval process, which includes proper patient authorization or IRB waiver of authorization. After the PHI is properly disclosed in the research setting, the IIHI transferred to the research setting may no longer be subject to the requirements of HIPAA. In certain cases, such as interventional clinical trials, if the IIHI or a copy of the IIHI is kept in the patient's medical record, this IIHI is PHI and subject to HIPAA. However, if IIHI is created, used, maintained and permanently segregated through the creation of a research record, that IIHI in the research record is not PHI. F. Student treatment records created by a Rutgers health care provider are FERPA records and excluded from HIPAA. IV The RCE must ensure that: A. A covered component does not disclose PHI to a non-covered component as prohibited by HIPAA, as if the health care component and the non-covered component were separate and distinct legal entities; and B. If a workforce member of a covered component also has workforce duties or responsibilities in non-covered components, such workforce member must not use or disclose protected health information created or received in the course of or incident to the member s work within the covered component in a way prohibited by HIPAA. C. When only the use and disclosure of IIHI is carried out by Rutgers University in its capacity as an employer (e.g. for personnel files) or an educational institution (e.g. training), the information is not PHI and those functions are not subject to the privacy or security regulations of the HIPAA privacy and security standards but the confidentiality of the individual's health information is protected by other state and federal law or university policy. V. EXHIBITS A Declaration of Rutgers University as a Hybrid Entity Page 5 of 6

Exhibit A Rutgers University Declaration as a Hybrid Entity The Health Insurance Portability and Accountability Act (HIPAA) privacy regulations (45 CFR Parts 160 and 164); require that Rutgers University designate healthcare components covered under HIPAA. The University is a hybrid entity, having both HIPAA covered components and non-covered components. Non-covered components are not subject to the HIPAA requirements governing privacy of protected health information (PHI). Rutgers University Covered Entity (RCE) includes the following covered components: 1. Camden Health Services 2. Cancer Institute of New Jersey 3. Douglas Developmental Center 4. EOHSI Environmental and Occupational Health Sciences Institute 5. Emergency Medical Services 6. Employee Assistance (UBHC) 7. Ernest Mario School of Pharmacy 8. Graduate School of Applied and Professional Psychology (excluding selected departments with no PHI). 9. Institute of Health, Health Care Policy and Aging Research (excluding New Jersey Health Initiative Program) 10. Institute of Health, Health Care Policy and Aging Research - Center for State Health Policy 11. New Brunswick Health Services 12. New Jersey Medical School 13. Newark Health Services 14. Robert Wood Johnson Medical School 15. Rutgers School of Dental Medicine 16. School of Health Professions 17. School of Nursing 18. School of Nursing (Camden) 19. School of Public Health 20. University Behavioral HealthCare (UBHC) 21. Athletics Central Administrative Services (to the extent necessary): 1. Enterprise Risk Management, Ethics and Compliance 2. Internal Audit 3. Office of the Senior Vice President and General Counsel 4. Parts of the Office of Research and Regulatory Affairs: a. Institutional Review Board ( IRB ) b. Research Integrity 5. Parts of the Office of Information Technology ("OIT ): a. Departmentof Information Protection and Security b. Messaging Services c. IT Helpline 6. Records Management 7. Risk Management and Insurance Services Page 6 of 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback