Privacy and Confidentiality of Individually Identifiable Health Care Information under HIPAA

University Policy 605.2, Privacy and Confidentiality of Individually Identifiable Health Care Information under HIPAA

Executive Summary: 

HIPAA is a 1996 federal statute with many purposes related to health care information. The new University policy primarily affects matters of privacy and confidentiality of health care information related to the health care activities of the Brocker Health Center and certain university offices that provide support services to Brocker Health Center.

I. Introduction
  1. This policy addresses The University of North Carolina at Charlotte's obligations to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying privacy regulations, which require the University's health care components to protect against unauthorized use or disclosure of individually identifiable health information (specifically "protected health information" or "PHI").
  2. PHI under HIPAA excludes individually identifiable health information in education records, including student health records, covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 USC 1232g and records described at 20 USC 1232g(a)(4)(B)(iv). FERPA guidance is provided by the University's FERPA Policy (University Policy 402). Records protected by FERPA will be protected and disclosed as mandated by FERPA and University policy. It is the goal of the University, however, to apply HIPAA regulations and practices so long as such application does not result in a violation of FERPA.
II. Policy Statement
  1. The University recognizes its obligations under federal and state law to protect the confidentiality of PHI. Uses and disclosures of PHI in any form are subject to HIPAA, applicable state law, this policy, and any related University policies, regulations, and rules.
  2. When possible prior to providing care, a covered health care component of the University'shall obtain and retain from each patient or authorized representative a signed and dated general consent to use or disclose PHI to carry out treatment, payment, and health care operations.
  3. To use or disclose PHI for any purpose other than treatment, payment, or health care operations, a covered component must obtain a signed and dated specific authorization (on a form approved by the University's HIPAA Privacy Officer) from the patient or authorized representative, unless authorization is waived or not required under HIPAA.
  4. Any release of information for purposes other than treatment, payment, or health care operations without a signed authorization must be reviewed and approved by the University's HIPAA Privacy Officer, except (1) where the release is to the individual patient, (2) where delay in seeking such approval would impair response to a health or safety emergency, or (3) where such release is permitted by rules of the covered health care component.
  5. Each covered health care component is delegated the authority to establish rules governing the release of PHI without authorization. Rules must be approved by the University's HIPAA Privacy Officer.
III. Definitions
  1. Protected Health Information: PHI is health information, including demographic information, created or received by the University's health components which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify any individual. PHI does not include education records subject to FERPA or de-identified PHI.
  2. De-identified PHI: Health information that cannot be identified to the individual patient. De-identified PHI must remove specific identifiers (set forth in HIPAA) with respect to the individual, his or her relatives, employers, and household members.
  3. Consent: Consent for purposes of this policy is permission for use and disclosure of an individual's PHI for treatment, payment, and health care operations.
  4. Treatment: For the purposes of this policy, treatment is the provision, coordination or management of health care and related services by health care providers, the referral of a patient from one provider to another, or the coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual.
  5. Payment: For the purposes of this policy, payment includes the activities undertaken to obtain reimbursement, including insurance for the provision of health care.
  6. Health Care Operations: Health care operations are the functions necessary for the support of treatment or payment. These functions include, but are not limited to, conducting quality assessment and improvement activities, reviewing the competence or qualifications of health care professionals, business planning and development, business management, and general administrative activities of a covered health care component.
  7. Authorization: An authorization, for purposes of this policy, is a specialized written permission for use and/or disclosure of an individual's PHI for purposes other than treatment, payment, or health care operations. An authorization must contain specific elements as approved by the University's HIPAA Privacy Officer.
  8. Covered Health Care Components: Covered health care components are those units that are health care providers and engage in HIPAA electronic transactions. The University's only covered health care component is its Student Health Services. The following functional units that provides support services to this covered component are also included:
    1. Internal Audit Office
    2. General Counsel's Office
    3. Information Technology Services Office
    4. Cashier's Office
    5. Accounts Payable Office
    6. Insurance Office
    7. The University's HIPAA Privacy Officer and HIPAA Security Officer
  9. Business Associate: A person or entity that is not a part of the University's workforce, which performs certain functions, activities, or services for the University's covered health care components involving the use and/or disclosure of PHI.
  10. Designated Record Set: Records that are the medical and billing records used in part or in whole to make decisions about the patient, except for psychotherapy notes and other records which under the law may not be accessed by the patient.
  11. HIPAA Privacy Officer and HIPAA Security Officer: Unless otherwise designated by the University, the Director of Student Health Services shall hold the titles of HIPAA Privacy Officer and HIPAA Security Officer.
IV. Operating Procedures
  1. Notice of Privacy Practices. The University's covered health care components shall provide to each patient, no later than the date of the first service delivery, a Notice of Privacy Practices containing a description of (a) the uses and disclosures of PHI that may be made by a covered health care component of the University, (b) the covered component's duties with regard to PHI, and (c) the rights afforded to patients. The Notice of Privacy Practices must be posted by each covered component and made available to patients on request.
  2. Generally Permitted Uses and Disclosures of PHI (other than for treatment, payment and health care operations).
    1. De-identified PHI. De-identified PHI may be used or disclosed without consent or authorization as long as no means of re-identification is disclosed. Release of de-identified PHI by a covered health care component of the University must receive the prior approval of the University's HIPAA Privacy Officer.
    2. Marketing. The use or disclosure of PHI for marketing purposes (communication intended to encourage the purchase or use of products or services) requires an authorization, except for face-to-face communications with the individual patient by the covered health care component (a) to describe health related products or services that are provided by or included in a plan of benefits; (b) for treatment of the patient; or (c) for case management or care coordination or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual.
    3. Business Associates. PHI may be used and disclosed to a business associate of a covered component provided the business associate has signed and is in compliance with a Business Associate Agreement in a form approved by the University's HIPAA Privacy Officer.
    4. Research. Use or disclosure of PHI for University research purposes generally requires the permission of the patient(s). Such permission must be in the form of an authorization as defined above. Use or disclosure is permitted without authorization if the University's institutional review board (IRB) grants a waiver of the authorization.
  1. Consent or Authorization Not Required under HIPAA. The disclosures without consent or authorization that are permitted by HIPAA are set forth below. To the extent that North Carolina law is more stringent or provides greater privacy protection, North Carolina law will apply.
  1. Disclosures required by law. PHI may be disclosed to the extent required by law.
  2. Public Health Activities. PHI may be used and disclosed to a public health authority that is authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability, including public health issues, vital records, child or adult abuse or neglect, adverse food or drug events, and investigations of work-related illnesses or injuries as required by law.
  3. Victims of Abuse, Neglect or Domestic Violence. PHI may be used or disclosed to a government authority that is investigating a report of abuse, neglect, or domestic violence to the extent disclosure is required or permitted by law.
  4. Health Oversight Activities. With certain exceptions, PHI may be used or disclosed to a health oversight agency for oversight activities authorized by law, including audits, civil, administrative or criminal investigations or proceedings, inspections, licensure, or disciplinary actions.
  5. Judicial and Administrative Proceedings. PHI may be disclosed in the course of a judicial or administrative proceeding in response to a valid court order.
  6. Law enforcement purposes. PHI may be disclosed for law enforcement purposes under certain conditions.
  7. Decedents. PHI regarding decedents may be disclosed to coroners, medical examiners, and funeral directors if necessary to carry out their duties.
  8. Serious Threats to Health or Safety. PHI may be used or disclosed under certain circumstances if a covered component believes in good faith that the use or disclosure is necessary to protect a person or the public from serious harm.
  9. Specialized Government functions. PHI may be used or disclosed for specialized government functions such as military and veterans' activities, security and intelligence activities, protective services for officials, medical suitability, and correctional institutions and other law enforcement custodial situations.
  10. Workers Compensation. PHI may be used or disclosed to the extent required to comply with workers' compensation laws and similar programs.
  1. Revocation of Authorization. Under any circumstances other than those listed above, written authorization will be obtained before use or disclosure of patient's PHI. This authorization may be subsequently revoked by the patient in writing. Upon receipt of such revocation, a covered health care component of the University will not disclose the patient's PHI, except for disclosures which were in process prior to the receipt of the revocation.
V. Minimum Necessary Standard.
Covered health care components must limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure except (1) disclosures to or requests by a health care provider for treatment purposes; (2) disclosures to the individual patient; (3) uses and disclosures with authorization; or (4) uses and disclosures for research with IRB waiver of authorization.
VI. Patient Rights.
  1. Right to Receive a Notice of Privacy Practices. No later than the date of the first delivery of health care services, a patient has the right to receive a Notice of Privacy Practices containing a description of (a) the uses and disclosures of PHI that may be made by a covered health care component of the University, (b) the covered component's duties with regard to PHI, and (c) the rights afforded to patients. The Notice of Privacy Practices is provided by the applicable covered health care component.
  2. Right to Access PHI. A patient has a right to inspect and receive a copy of his or her PHI that is used to make decisions about the patient for as long as the University maintains the information, except for information specifically exempted from disclosure to the patient by HIPAA. A patient must make a request for such access to the applicable covered health care component.
  3. Right to Request an Amendment of PHI. A patient has a right to request an amendment of PHI contained in designated records sets. A covered health care component is not required to grant the request for amendment and may deny the request under specified circumstances.
  4. Right to an Accounting of Disclosures. A patient has the general right to receive an accounting of disclosures of PHI in the six years prior to the request. A patient must make a request for a list of disclosures to the applicable covered health care component.
    1. Right to Request Restrictions on release of PHI.
    2. A patient has a right to request restrictions on the uses and disclosures of PHI to carry out treatment, payment, or health care operations, and restriction on disclosures made to an individual's family, friends, or relatives. The covered health care component is not required to agree to the requested restriction. However, if the covered health care component does agree, it must abide by the restriction except in emergencies and in situations where use or disclosure is permitted by HIPAA without authorization.
    3. An agreed upon restriction may be terminated by the patient or by the covered health care component provided that the termination is effective only for PHI created or received after the date of termination.
    4. Restrictions that are agreed to and terminations of agreed upon restrictions must be documented in writing and retained by the covered health care component for a period of six years from the date of the creation of the termination or restriction or from the date it was last in effect, whichever is later.
    5. F. Right to Receive Confidential Communication. A patient has the right to request how and where to be contacted to receive PHI. This request must be made in writing, and it must state the address at which the PHI is to be received and explain whether the request will interfere with the patient's chosen method of payment. The covered health care component will accommodate all reasonable requests. Requests may be made by contacting the University's Privacy Officer.
  5. Right to File a Complaint. If a patient is concerned that a covered health care component of the University has violated any of the patient's privacy rights, or if a patient disagrees with a decision that is made about access to his or her PHI, the patient may contact the University's Privacy Officer. The patient may also file a written complaint to the Director, Office for Civil Rights of the U.S. Department of Health and Human Services. There will be no intimidation, threat, coercion, discrimination or retaliation against any individual for filing a complaint or for exercising any of the above-listed rights.
VII. Physical and Electronic Security of PHI
HIPAA requires physical and electronic security to maintain the privacy of PHI in all forms, including oral, written, and electronic. Covered health care components shall ensure the physical and electronic security of all PHI.
VIII. Breaches of Privacy and Security
  1. Breaches of privacy or security of PHI are to be reported immediately to the University's HIPAA Privacy Officer.
  2. Covered health care components must mitigate, to the extent practicable, any known harmful effects of the use or disclosure of PHI in violation of this policy or the requirements of HIPAA.
  3. Any University employee or contractor who is in violation of this policy is subject to disciplinary action up to and including discharge in accordance with applicable University policies and procedures. Individuals may also be subject to civil and criminal penalties under HIPAA.
 
Revision History: 

Initially Approved by the Chancellor April 7, 2003
Revised effective January 11, 2007